TrickBot Phishing Campaigns Disrupted by Infrastructure Takedown

The TrickBot Trojan, one of the biggest malware threats to appear in recent years, has had its backend infrastructure taken down by a coalition of tech firms.

TrickBot started life in 2016 as a banking Trojan used to target Windows devices but the malware has received many updates over the years and has had many new modules added to give it a much wider range of capabilities. TrickBot targets hundreds of different banks and also steals credentials and Bitcoin wallets. In recent years, the operators have teamed up with several different criminal organizations and have used the Trojan to deliver keyloggers, cryptominers, information stealers and ransomware variants such as Ryuk and Conti. TrickBot can now perform a huge range of malicious actions via many different plugins and in January and February 2020 was targeting more than 600 websites via a webinject module, most of which being financial institutions.

The Trojan achieves persistence on infected devices and adds them to a botnet, which has grown into one of the largest in operation. The operators of the Trojan are also known to use the EternalBlue exploit to move around infected networks and spread the Trojan to other devices on the network. This can make removal of the Trojan difficult, as once it is removed from a device, other infected devices on the network simply reinfect it when it is reconnected.

TrickBot is primarily spread via phishing emails via malicious macros, but other malware-as-a-service operations also deliver TrickBot, such as Emotet. TrickBot typically used lures aimed at business users, such as shipment receipts, receipt reminders, required declarations, delivery notifications, and other logistics themes using Word and Excel attachments and Java Network Launch Protocol (.jnlp) attachments, as well as malicious hyperlinks embedded in emails. In 2020, a large-scale campaign was conducted using coronavirus and COVID-19 themed lures, one of which spoofed humanitarian groups and claimed to offer free COVID-19 tests.

Those emails were sent by a diverse range of compromised email accounts and marketing platforms, with the threat group also using domains with their own mail servers to distribute the malware. There has been growing concern that the botnet could also be used in campaigns to disrupt the upcoming November 3, 2020 U.S. presidential election.

TrickBot is stealthy and uses a variety of mechanisms to evade detection by security solutions, including password protected zip files, delayed downloads of the Trojan when macros are run, heavily obfuscated loaders, encryption of configuration files, and a complex command and control infrastructure. The latter has now been untangled and its backend infrastructure has been taken down.

Several tech firms including Microsoft, ESET, Black Lotus Labs, and NTT have been working together for months to try to disrupt the TrickBot operation. More than 125,000 samples of the TrickBot Trojan were analyzed along with over 40,000 configuration files used by various TrickBot modules. After several months of painstaking work, the command and control servers used by the botnet were identified and its network infrastructure was mapped. Armed with the IP addresses, Microsoft obtained a court order and seized control of the infrastructure of servers used to distribute and communicate with the malware and its various modules. The IP addresses associated with the malware have now been disabled.

When the takedown occurred, more than 1 million devices had been infected with the malware and were part of its botnet.  The takedown is great news, as one more malware threat – and a major one at that – has been taken out of action, at least temporarily. Efforts are now underway by ISPs to contact victims to ensure the Trojan is removed from their systems.

UK Businesses Targeted in HMRC Phishing Scam

Businesses in the United Kingdom are being targeted by scammers impersonating Her Majesty’s Revenue and Customs. There have been several campaigns identified over the past weeks that are taking advantage of the measures put in place by the UK government to help businesses through the COVID-19 pandemic and the forced lockdowns that have prevented businesses from operating or have forced them to massively scale back operations.

The HMRC scams have been numerous and diverse, targeting businesses, the self-employed, furloughed workers and others via email, telephone, and SMS messages. Some of the scams involve threats of arrest and jail time due to the underpayment of tax, demanding payment over the phone to avoid court action or arrest.

One scam targeted clients of Nucleus Financial Services and used a genuine communication from the firm as a template. The genuine email appears to have been obtained from a third-party hacked email account. The email advised recipients that they were due a tax refund from HMRC. A link is supplied in the email that the recipient is required to click to receive their refund. In order to apply to receive the refund the user must enter sensitive information into the website, which is captured by the scammers.

Another campaign has been identified that spoofs HMRC and similarly seeks sensitive information such as bank account and email credentials. In response to the COVID-19 pandemic, the UK government launched a scheme to help businesses by allowing them to defer their VAT payments between March and June 2020, until June 2021 to help ease the financial burden of the nationwide lockdown. Many businesses took advantage of the scheme and applied to have their Value Added Tax (VAT) payments deferred.

The campaign uses emails that spoof HMRC and inform businesses that their application to have their VAT payments deferred has been rejected as the company is in arrears. The emails include an attachment with further information and a report on their application. The document is password protected and the password is supplied in the email to allow the file to be opened.

A hyperlink is supplied which must be clicked which directs the user to a website where they are asked to enter sensitive information such as their bank account details and email address and password, which are captured by the scammers.

COVID-19 has presented scammers with a host of new opportunities to fool businesses into disclosing sensitive information. Many of the lures used in the emails, calls, and text messages are credible, the messages are well written, and the scammers have gone to lengths to make their phishing websites look like the entities they spoof.

Businesses should be on high alert and be particularly vigilant for phishing scams. They should advise their employees to take extra care with any request that requires the disclosure of sensitive information.

Technical controls should also be considered to block phishing emails at source and prevent visits to malicious websites. That is an area where TitanHQ can help. TitanHQ offers two anti-phishing solutions for businesses and MSPs to help them block phishing attacks: SpamTitan and WebTitan.

SpamTitan is a powerful email security solution that blocks phishing emails at source, preventing malicious messages from reaching inboxes. WebTitan is a DNS filtering solution that is used to control the websites that can be accessed over wired and wireless networks, blocking access to web pages that are used for phishing and malware delivery.

Both solutions are available on a free trial to allow you to evaluate their effectiveness before deciding on a purchase. Further information on the solutions, their benefits, and pricing can be obtained by calling the TitanHQ team.

Security Awareness Training Company Spoofed in Novel Phishing Campaign

Phishers are constantly devising new ways to trick employees into divulging their credentials. Realistic emails are sent using a variety of ruses to get employees to click on a malicious link, which often aims to obtain Microsoft Office 365 credentials. Office 365 accounts often contain a range of sensitive data, which can be stolen and used for many nefarious purposes.

Recently, a new campaign has been identified targeting businesses that attempts to obtain Microsoft Outlook credentials. The campaign spoofs KnowBe4, a company specializing in security awareness training for employees – Training that helps businesses teach their employees how to recognize a phishing email.

The emails alert the recipient about the impending expiration of a security awareness training module. The recipient is told they only have 24 hours remaining to complete the training. Three links are supplied in the email that appear, at face value, to link to the genuine KnowBe4 website; however, they direct the user to a phishing page on a compromised website where Outlook credentials and personal information are harvested, via a realistic login page for the Outlook Web App.

Instructions are provided for accessing the training outside of the network, with the user instructed to enter their username and password before clicking the sign in button. Doing so, it is claimed, will direct the user to the training module. While the site to which the phishing email links is convincing, the tell-tale sign that this is a scam is the domain. Several different URLs on multiple sites have been used in this campaign, all of which are unrelated to the security awareness training provider. However, busy employees may fail to check the URL before disclosing their credentials.

It is an interesting tactic to spoof a cybersecurity company dedicated to phishing prevention; one that may fool employees into believing the email is genuine.  Any company can be spoofed in a phishing campaign. Just because the company offers services to combat phishing does not mean that the email should not be subjected to the usual checks to verify its validity, which is something that should be emphasized in employee security awareness training sessions.

According to Cofense, which analyzed the websites, the compromised sites have recently hosted a web shell that allowed the attackers to upload and edit files. The websites had been compromised since at least April 2020, unbeknown to the site owners. The phishing kit used in this campaign has been loaded onto at least 30 different websites since the campaign commenced in mid-April.

Employees receive hundreds of emails each week and identifying every phishing email can be a difficult task, especially when many phishing emails are realistic and are very similar to genuine emails that employees receive every day. Security awareness training is important, but it is also essential to implement an advanced spam filtering solution that is capable of blocking virtually all (in excess of 99.9%) malicious emails.

With an advanced spam filtering solution in place – such as SpamTitan – these emails can be blocked at source and will not be delivered to end users’ inboxes, negating the threat.

Webinar Sept 22, 2020 – How to Ensure Business Continuity with Email Archiving for your Remote Workforce

Businesses had to suddenly adapt to a new way of working in 2020 due to COVID-19 and the countrywide lockdowns. In order to keep businesses running, many switched to remote working and allowed their employees to work from home. Even though employees are being encouraged to work from the office once again, many businesses have accepted that remote working, at least to some extent, is now here to stay.

When employees work remotely they are able to stay connected via email, instant messaging tools, and videoconferencing solutions. Many employers have even found that their employees have been more productive working from home. However, while employees are collaborating and connecting in new ways, remote working is not without its risks and many businesses are concerned about how they can protect their data and ensuring compliance in the new, remote working environment.

On Tuesday, September 22, 2020, TitanHQ is hosting a webinar to discuss the threat landscape with respect to remote working and will explain how you can ensure your email archiving and security are fit for purpose to maintain access to data for business and email continuity.

During the webinar TitanHQ experts James Clayton and Derek Higgins will cover the following topics:

  • The Current 2020 Technology Landscape
  • Security & Compliance in a time of Global Remote Working
  • Increase in Companies Relying Solely on Office 365
  • Protecting Business Critical Data
  • The Importance of Continuity in the Era of Remote Working

Attendees will also be introduced to the TitanHQ cloud email archiving solution, ArcTitan, including a live demo of the solution.

Webinar Information

Title:       How to Ensure Business Continuity with Email Archiving for your Remote Workforce

Date:     Tuesday, September 22, 2020

Time: 

  • London/Dublin: 5:00 pm (GMT +1)
  • USA:      12:00 pm ET; 9:00 am PT

Hosts:    

  • James Clayton, ArcTitan Product Specialist
  • Derek Higgins, Engineering Manager, TitanHQ

Click Here to Register for the Webinar

Departmental Benefits of Email Archiving

An email archive is important for compliance, but there are also several departmental benefits of email archiving. The improvements in efficiency as a result of implementing an email archiving solution can deliver cost savings and ease the burden on your workforce, with the benefits felt by al employees in your organization.

Most businesses choose to implement an email archiving solution to ensure emails can be found and quickly produced in the event of HR issues, customer disputes, legal actions, and to comply with federal, state, and industry regulations.

An email archive acts as a black box flight recorder for email. All emails that need to be retained are sent to the archive for long term storage. In the event of a compliance audit or eDiscovery request, the archive can be quickly searched, and important emails can be found and exported in minutes. An email archive is also important for disaster recovery, allowing business-critical emails to be recovered in the event of corruption, deletion or a cyberattack.

Businesses that implement an email archiving solution often discover there are many other benefits that come from the secure archiving of emails in a dedicated repository, separate from the mail server.

Email Archiving Benefits for the IT Department

Some of the biggest benefits are enjoyed by the IT department. Storing the millions of emails that are sent and received by the organization, along with their attachments, can consume a lot of expensive storage space. Email archiving solutions deduplicate emails before they are sent to the archive and will only store one copy of a message. The removal of duplicates and compression of data greatly reduces storage space resulting in significant cost savings.

The IT support team will undoubtedly receive many requests from employees to recover important emails that have been misfiled or accidentally deleted.  Many email archiving solutions can be configured to allow employees to access their own archives. When an email is lost, or is accidentally deleted, the employee can search their own archive for the missing email without bothering the IT department. The same is true for HR investigations, which will no longer need to involve the IT department to such a large degree.

By sending emails to the archive, they do not need to be stored locally in PST files or on the mail server. PST files are a security risk and are a management headache that can be avoided. An email archive saves considerable maintenance time and freeing up space on the mail server improves performance. In the event of disaster, such as hardware failure or a cyberattack, emails can be quickly and easily restored from the archive, saving the IT department considerable time which can be put to much better use.

Benefits of Email Archiving for the HR and Legal Departments

When there are employee disputes, email investigations need to be conducted. That involves the HR department contacting the IT department to get them to find the emails that have been sent or received by a particular employee. HR departments will not have to wait for a busy IT department to respond and can simply search for the emails they need in the archive.

An archive will help to ensure compliance and if an eDiscovery request is received, rather than taking hours or days to compile all the necessary email data, the eDiscovery process is a quick and easy. An email archive ensures there is an immutable record of emails, which is essential in any legal actions. The legal department can be 100% sure that emails will not have been accidentally deleted, and since a full audit trail is maintained, access attempts can easily be identified along with any attempted changes to email content. Email archiving can save hours of time, which can be put to more productive uses.

Benefits for All Employees

A study conducted by Adobe found that employees spend a huge amount of their time on email. In 2019, a typical employee spent around 5 hours a day checking their email accounts. Emails are often misplaced or are accidentally deleted, resulting in productivity losses. Being able to access their own archives means employees will never lose an email, as a quick search can easily be performed on the archive.

Employees can prove that they sent or did not receive an email, access to emails is much faster, inboxes are easier to clear, and searches are more efficient.

ArcTitan Cloud – Secure Email Archiving with Lightning Fast Searches

ArcTitan Cloud is a 100% cloud-based, secure email archiving service from TitanHQ. ArcTitan is fully compliant with HIPAA, SOX, GDPR, Federal Rules of Civil Procedure and other key regulations that have data retention requirements.

ArcTitan stores a copy of every message that is sent and received by your organization (subject to user-defined policies). The archive is self-maintaining and self-healing, which ensures a reliable service with minimal or no disruption during an outage. The archive is stored securely on Replicated Persistent Storage on AWS S3, and the archive is automatically backed up to prevent data loss. All data are encrypted at rest and in transit, with strong authentication controls to prevent unauthorized access.

A set and forget solution, ArcTitan ensures that emails will never be lost again. When you need to perform a search and find emails, searching is lightning fast. A search of 30 million messages takes less than a second.

If you are not currently archiving your emails, take advantage of the 30-day free trial of ArcTitan to find out more about how the solution can help your business. If you are already archiving and are unhappy with your current provider, give the TitanHQ team a call to find how much you can save by switching provider and the additional benefits that ArcTitan offers.