Malware attacks are on the rise, but thankfully, so is the vigilance of individuals and IT MSPs.  

However the next big threat is on the horizon. On March 14th, the Cybersecurity and Infrastructure Security Agency, a unit of the Department of Homeland Security, released a report on malware called TrickBot.

What is TrickBot?

“TrickBot is a modular banking trojan that targets user financial information and acts as a dropper for other malware”, said the report. It is using man-in-the-browser attacks to steal the log-in credentials for finance-related sessions.

How it’s working

This malspam is embedding itself in email attachments in familiar formats like Word or Excel documents disguised as accounting reports or invoices. Once opened, the attachment will “prompt the user to enable macros, which executes a VBScript to run a PowerShell script to download the malware.”

It makes sure it is not running in a “sandbox environment” and then attempts to disable your antivirus programs.

Once it has established itself on a device, TrickBot will begin two different attacks.

Redirection attacks send victims to fraudulent banking site replicas when they navigate to certain banking websites. This fake website is hosted on the cyber threat actor’s (CTA) malicious server and harvests the victim’s login information.

A server-side injection intercepts the response from a bank’s server, injects additional client-side code into the webpage, and can steal the victim’s banking credentials through form grabbing. Form grabbing records sensitive information typed into HTML forms, rather than capturing all keystrokes as with a keylogger.

TrickBot is also using the Server Message Block Protocol to spread itself laterally across networks.

What you should do

Familiarize yourself and your staff with common phishing tactics. Education is the ultimate end-user security practice. This is a necessity for network security.

For ITonDemand clients, spam filtering and endpoint malware security are in place to secure you from the majority of cyber attacks.

For more information on phishing, download our infographic below.

Incident Recovery

  1. If you think you have been infected, take the device offline as soon as possible. This protects you from any further data loss or further system/network corruption.
  2. Change all passwords from the infected device from a secure device.
  3. Contact the ITonDemand HelpDesk to see what further damage mitigation needs to be done.

For the full white paper issued by CIS, click here.


Download our infographic and learn how to identify a phishing scam when you see one.

Other Articles You Might Be Interested In:

Office365 is not a Disaster Recovery Plan

Office365 is not a Disaster Recovery Plan

Disaster recovery plans are vital, not just important. Data becomes lost, deleted, purged, corrupted, all the time. Without that measure in place, data is truly lost. There does seem to be confusion on what constitutes a Disaster Recovery plan, however. While many...

read more
Data Backups and Disaster Recovery

Data Backups and Disaster Recovery

Data backup is a critical part of an organization’s overall disaster recovery plan. The concept of data backup is simple: you make copies of your data and store them in a different location in case data is lost or destroyed.

read more

Founded in 1999, ITonDemand helps businesses and associations across the US achieve growth by guiding and supporting IT infrastructure and providing cybersecurity management. ITonDemand’s Core Solution and Security+ have been recognized among both Managed Services and Cybersecurity Providers as a member of the MSP Pioneer 250 and the Top 200 MSSPs.

1423 Powhatan St, Alexandria, VA 22314

233 SW 3rd St, Ocala, FL 34471