Categories: SecurityWorkspace

US CISA, FBI Warn Of Trickbot Phishing Campaign

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are warning of a “sophisticated” phishing campaign that aims to install the the dangerous Trickbot malware on targets’ systems.

The campaign, largely affecting North American organisations, makes use of tailored emails that claim to contain proof of a traffic violation, the agencies said.

Trickbot, first identified in 2016, is one of the most widespread and versatile malware tools, and is capable of being tailored for a wide variety of uses, including password and data theft.

The Windows malware started off as a banking Trojan used to steal financial data, but has evolved into a highly modular, multi-stage form that is capable of installing further malware on a user’s system.

Tailored emails

“A sophisticated group of cybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download Trickbot,” CISA said in the advisory.

The agency recommended measures including blocking suspicious IP addresses, using antivirus software and providing training on social engineering and phishing to employees.

Phishing involves the use of scam emails to trick a user into installing malware.

The people behind the current campaign are carrying out a spearphishing campaign, meaning the emails are tailored for particular targets, making them more dangerous, CISA said.

The emails contain a link to alleged proof of a traffic violation, which takes the user to website hosted on a compromised server.

This site prompts the user to click on photo proof of their supposed violation, and in clicking on the photo the target unknowingly downloads a malicious JavaScript file.


This communicates with the attacker’s command server to download Trickbot onto the system, CISA said.

Some of Trickbot’s most common operations are to steal login credentials, via a browser attack, with some variants able to spread across a network using the SMB protocol.

The malware can be used to gather information to support further targeting, for data theft or even for carrying out clandestine cryptocurrency mining.

Trickbot also be used to drop other malicious code, such as Ryuk or Conti ransomware, or to download a malware strain called Emotet, thought to be operated by a Russian crime organisation.

Emotet is best known for turning infected systems into parts of a botnet, but the system’s operations were disrupted in January through a coordinated international police operation.

Trickbot was also targeted by a Microsoft-led operation in October of last year that targeted its infrastructure, but researchers said the malware reappeared within weeks and has been active ever since.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

BT Eagle-i Seeks To Predict, Prevent Cyberattacks

Proactive security approach. New security platform from BT Security, dubbed 'Eagle-i', seeks to predict and…

2 days ago

Apple Risks South Korean Clash After Investigation Warning

South Korean government official warns of possible investigation into Apple's compliance with new App Store…

2 days ago

Moscow Metro Facial Recognition System For Speedy Payments

Privacy concern. Moscow's Metro system has launched 'Face Pay', a mass facial recognition system for…

2 days ago

US Army Delays $22 Billion Microsoft Augmented Reality Headsets

United States Army pushes back deployment date of Microsoft's augmented reality headsets, but insists it…

3 days ago

TSMC Confirms Chip Plant For Japan

Taiwanese chip giant TSMC confirms it will build a chip factory in Japan, that will…

3 days ago

GitLab Raises $800m In Successful Initial Public Offering

After a successful public debut that raised hundreds of millions of dollars, coding platform GitLab…

3 days ago