The TrickBot malware, which earlier this year worked in tandem with the Ryuk ransomware to siphon millions of dollars for hackers, is back with a new attack that may have compromised as many as 250 million email accounts.
In a report by Deep Instinct, the cybersecurity company revealed a new variant of TrickBot that teams it up with a malicious, email-based infection and distribution module dubbed TrickBooster.
The new attack starts the same as in previous methods, with TrickBot infiltrating a victim’s computer. The malware then forces the machine to download TrickBooster, which reports back to a dedicated command and control server with lists of email addresses and log-in credentials harvested from the victim’s inbox, outbox, and address book. Afterwards, the TrickBooster server instructs the infected machine to send out malicious infection and spam emails, with the emails deleted from the outbox and trash folder to remain hidden from the victim.
In Deep Instinct’s investigation of TrickBooster and its associated network infrastructure, the cybersecurity firm discovered a database containing 250 million email accounts that were harvested by TrickBot operators. The addresses were likely also targeted with the malicious emails.
The recovered email dump includes about 26 million addresses on Gmail, 19 million on Yahoo, 11 million on Hotmail, 7 million on AOL, 3.5 million on MSN, and 2 million on Yahoo U.K. The compromised accounts also involved many government departments and agencies in the United States, including but not limited to the Department of Justice, the Department of Homeland Security, the Department of State, the Social Security Administration, the Internal Revenue Service, the Federal Aviation Administration, and the National Aeronautics and Space Administration. Others affected include government organizations and universities in the United Kingdom and Canada.
Deep Instinct spot checked a few thousands of the compromised email accounts against previously recorded security breaches, and found that the database is a new batch of addresses that has not been previously seen or reported.
The discovery of TrickBooster “highlights the success and sophistication of TrickBot,” according to Deep Instinct, while the model was described as “a powerful addition to TrickBot’s vast arsenal” of methods of attack.
Deep Instinct said that it continuing its research and analysis into TrickBooster, and that it is in the process of reporting the details of the new TrickBot attack to the authorities.
