While Trickbot has historically targeted the financial industry, it has now expanded its targeting of other industries via its account-checking activities, according to fresh analysis.
These kinds of attacks occur when threat actors use credentials stolen from past database breaches or compromises to gain unauthorized access to other accounts belonging to the same victims. However, the process of mining compromised data for correct username and password combinations requires significant computer processing power and proxy pool lists to be successful—a capability that is now exhibited by the Trickbot gang.
“Considered to be the successor of the formidable Dyre banking trojan gang, the Trickbot banking trojan gang continues to evolve by adopting new attack methods and targeting various industries,” said Vitali Kremez, researcher at Flashpoint, in a blog. “The gang account-checking operation requires a steady stream of new and ‘clean’ proxies to make sure their activities wouldn’t get automatically blocked by companies’ automatic IP origin anti-fraud systems. Therefore, their existing infections are turned into account-checking proxies.”
Flashpoint noted that Trickbot’s new trick is being perpetrated through the backconnect SOCKS5 module, enlisting victims as proxies. From Aug. 17 to the present, analysts at the firm have observed close to 6,000 unique compromised machines associated with Trickbot SOCKS5 proxy module activities. Of these machines, more than 200 of them were actively enlisted for account-checking fraud activities at any one time.
“The Trickbot gang continues to search for ways to monetize infections by adopting a hybrid attack model, which utilizes both Trickbot modular payloads and knowledgeable fraud operators, along with account-checking activity; such attacks are a combination of malware expertise and knowledgeable human operators,” Kremez said.