The infamous Trickbot Trojan has targeted customers of dozens of major brands over the past year, including Amazon, PayPal and Microsoft, according to new data from Check Point.
The security vendor claimed the malware had infected at least 140,000 victims since November 2020, with attackers taking care to target high-level victims.
Among the 60 brands that had customers targeted in this campaign were also Bank of America, American Express and Wells Fargo.
APAC was the most affected region during the 14-month period, with approximately 3.3% of organizations affected. Next come Latin America (2.1%), Europe (1.9%), Africa (1.8%) and North America (1.4%).
Attacks usually start with phishing emails, including malicious macros.
Although it started life as a banking Trojan, Trickbot has steadily grown in sophistication over the years and now features 20 modules that can be run on demand to steal data and launch malware additional.
The malware remained stubbornly persistent by using a decentralized architecture, selectively choosing targets, and deploying anti-analysis techniques.
Check Point’s research analyzed three modules: a web injection function designed to steal banking and identification data; a tabDLL module that steals credentials to distribute malware via network shares; and pwgrabc, which steals credentials from a range of applications, including the world’s most popular browsers.
“Trickbot attacks high-level victims to steal credentials and provide its operators with access to portals with sensitive data where they can cause even more damage. At the same time, we know that the operators behind the infrastructure are very experienced in developing malware at a high level,” explained Alexander Chailytko, Head of Cybersecurity Research and Innovation at Check Point.
“The combination of these two factors is what has kept Trickbot a dangerous threat for over five years now. I strongly urge people to only open documents from trusted sources and to use different passwords on different websites.
Check Point also urged users not to enable macros in unsolicited attachments.