Conheça TrickBot, relativamente novo Trojan bancário acredita-se ser um parente próximo do antigo banqueiro Dyre. De acordo com pesquisadores Fidelis Cybersecurity, TrickBot, detectados em Setembro 2016 tem muito em comum com Dyre.
In case you don’t remember, the Dyre operation was discontinued in November 2015 after Russian authorities raided a Moscow film distribution company. Even though it took some time for Dyre campaigns to stop, the frequency of spam distributing Dyre started to fade away after the intervention of the Russian police.
Now it appears that TrickBot is here to take the place of the devastating banker. Let’s see what the researchers say.
TrickBot Banking Trojan: Visão geral técnica
Because of the plentiful similarities, Fidelis researchers suspect that TrickBot is developed by the same team, or members of the team that was behind the Dyre operation:
Em setembro 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, Contudo, that the similarities become staggering.
The analyzed TrickBot campaign is based on webinjects that target banks in Australia. Curiosamente, the banking Trojan is more likely a rewritten version, not an old one. While the bot performs very similar functions and activities, the code style is quite a bit different than the older Dyre code in several ways, nota pesquisadores. Some of the differences include the way the bot interfaces with TaskScheduler through COM instead of running commands directly; the bot uses Microsoft CryptoAPI instead of running SHA256 or AES routine; more C++ in the bot when compared to the original Dyre which was mostly coded in C.
Por outro lado, researchers say that TrickLoader, the TrickBot module that infects the victim, is very much alike Dyre’s loader.
Based on these observations, it’s evident that there is a strong link between Dyre and TrickBot. Contudo, it should be noted that TrickBot is not a copy-paste variant but instead displays a substantial new development. “With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot”, pesquisadores concluem.
The Similarities Trickbot shares with Dyre
The crypter in TrickBot is custom and was previously found in Vawtrak, Pushdo and Cutwail malware. Como apontado, the Cutwail spambot was deployed by the operators of Dyre in their spam campaigns.
The loader reminds a lot of Dyre’s loader, including a including x86 and x64 bot version and another section named x64 loader.
The loader simply checks if it is running on a 32 or 64bit system before decoding the appropriate resource section(s).
Even though there are many similarities with Dyre, TrickBot is more of a rewritten character.
This assumption is made based on old Dyre code, which would primarily use built-in functions for doing things such as AES and SHA256 hashing. In the recent samples identifying themselves as TrickBot, the code appears to be based on that old code but rewritten to use things such as Microsoft CryptoAPI and COM.
Como já mencionado, TrickBot is currently targeting banks in Australia.
Since TrickBot is being spread in email spam campaigns, go through these tips to decrease the chances of an infection.
Anti-Spam Protection Tips
- Employ anti-spam software, filtros de spam, destinada a examinar e-mails recebidos. Such software serves to isolate spam from regular emails. filtros de spam são projetados para identificar e detectar spam, and prevent it from ever reaching your inbox. Certifique-se de adicionar um filtro de spam para o seu e-mail. Os usuários do Gmail podem referir-se a do Google página de suporte.
- Don’t reply to dubious email messages and never interact with their content. Even an ‘unsubscribe’ link within the message body can turn out to be suspicious. If you respond to such a message, you will just send a confirmation of your own email address to cyber crooks.
- Create a secondary email address to use whenever you need to register for a web service or sign up for something. Giving away your true email address on random websites is never a good idea.
- Your email name should be tough to crack. Research indicates that email addresses with numbers, letters and underscores are tougher to crack and generally get less spam emails.
- View your emails in plain text, and there’s a good reason why. Spam that is written in HTML may have code designed to redirect you to unwanted pages (por exemplo. publicidade). Além disso, images within the email body can be used to ‘phone home’ spammers because they can use them to locate active emails for future spam campaigns. portanto, viewing emails in plain text appears to be the better option. Para fazê-lo, navigate to your email’s main menu, go to Preferences and select the option to read emails in plain text.
- Avoid posting your email address or a link to it on web pages. Spam bots and web spiders can locate email addresses. portanto, if you need to leave your email address, do it as it follows: NOME [em] MAIL [ponto] com or something similar. You can also look for a contact form on the website – filling out that form shouldn’t reveal your email address or your identity.
And don’t forget to keep your anti-malware program running!
digitalizador Spy Hunter só irá detectar a ameaça. Se você quiser a ameaça de ser removido automaticamente, você precisa comprar a versão completa da ferramenta anti-malware.Saiba Mais Sobre SpyHunter Anti-Malware Ferramenta / Como desinstalar o SpyHunter