[ad_1]
Old bot, new tours.
TrickBot, a malicious software widely used for financial reasons, infects victims' computers to steal email passwords and address books in order to spread malicious emails from their compromised email accounts.
The TrickBot malware was detected for the first time in 2016, but has since developed new capabilities and techniques to spread and invade computers in order to capture passwords and identification information, possibly by ensuring to steal money. It is highly adaptable and modular, allowing its creators to add new components. In recent months, he has adapted to the tax season to try to steal tax documents for fraudulent misrepresentation. More recently, malware has acquired cookie theft capabilities, allowing attackers to log in as victims without requiring their password.
With these new spam features, the malware (which the researchers call "TrickBooster") sends a malicious message from the victim's account, then removes sent messages from the folders of the sending boxes and sent items to avoid any detection.
Researchers from the Deep Instinct cybersecurity company, who found the servers running the malware spamming campaign, claim to have proof that the malware has collected more than 250 million email addresses so far. In addition to the massive amounts of Gmail, Yahoo and Hotmail accounts, researchers say that several US ministries and other foreign governments – like the UK and Canada – had emails and identification information collected by the malicious program.
"According to the organizations involved, it makes sense to expand as widely as possible and collect as much email as possible," said Guy Caspi, chief executive of Deep Instinct, TechCrunch. "If I were to land at an end of the US State Department, I would try to dismiss as much as possible and collect any address or any possible title."
If the victim's computer is already infected with TrickBot, he / she can download the signed TrickBooster component with a certificate, which sends a list of the victim's e-mail addresses and address books to the primary server, and then starts sending the victim. spam from his computer.
Malware uses counterfeit certificates to sign the component to avoid detection, Caspi said. A large number of certificates have been issued on behalf of legitimate businesses that do not need to sign any code, such as heating or plumbing companies, he said.
The researchers discovered TrickBooster on June 25 and were reported to issuing certification authorities a week later, which revoked the certificates, making it harder for the malware.
After identifying the command and control servers, the researchers obtained and downloaded the 250 million cache emails. Caspi said the server was not protected but "difficult to access and communicate with" due to connectivity issues.
The researchers described TrickBooster as "a powerful addition to TrickBot's vast arsenal of tools", given its ability to sneak around and escape detection by most anti-malware software vendors, have they said.
[ad_2]
Source link