Named a Visionary in Gartner Magic Quadrant for Secure Web Gateways (SWG)
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Share this article
2021 will be a challenging year for security professionals. The fall out from the SUNBURST attack and the Solarwinds hack is yet to be fully understood and we all remain in an elevated state of awareness and concern.
Our Threat labs team is constantly looking for new emerging threats by analyzing security events and over 40 million sessions a day on our isolation-powered cloud security company and recently observed the re-emergence of a previously known threat, commonly known as Trickbot.
Trickbot is a prolific malware that has persisted through the times. In 2020 it was greatly responsible for distributing ransomware and was the most popular malware operation that used COVID-19 lures. It was so prolific that in Oct 2020, Microsoft along with its partners obtained a court order to disrupt and take down the infamous Trickbot. It did so by bringing down the infrastructure that was used by the attackers to distribute and send commands to infected endpoints.
In this blog, we are going to detail analysis of a campaign that shows how Trickbot infections might be back and active. In the most recent campaign we observed across our global Menlo Security cloud platform, we noticed the attackers used an interesting lure to get users to click and install the Trickbot malware on the endpoint.
This ongoing campaign that we identified exclusively targeted legal and insurance verticals in North America. The initial vector appears to be an email, which includes a link to a URL. While in the past Trickbot has used weaponized documents, the infection mechanism detailed in this campaign seems to be a new modus operandi used by this group.
Once the user clicks on the initial url in the email, the user is redirected to a compromised server that coaxes the user into downloading a malicious payload. The figure below shows the redirection chain.
The final page that the user lands on, looks like the screenshot below. The Trickbot attackers are trying to scare the user into downloading a malicious payload, by using the lure of a traffic infringement.
Both the initial URL from which the malware is downloaded and the CnC that it connects to are tagged as Trickbot on URLHaus, which is a popular threat feed.
At the time of writing this blog, some of the URLs identified in this Trickbot campaign have very little to no detection on VT.
Where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind trickbot’s operations. While Microsoft and it’s partners’ actions were commendable and trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment.
Vinay Pidathala on Jan 29, 2021
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.