TrickBot adds new spam module, harvests 250M email addresses

News by Bradley Barth

Information-stealing malware TrickBot harvests addresses linked to several government agencies such as the US departments of Justice and the UK Ministry of Defence

Malicious actors behind the information-stealing malware TrickBot have added a new module that has helped them illicitly gather a database of 250 million legitimate email addresses.

Millions of these harvested addresses are linked to government agencies and employees in the US, according to Deep Instinct, whose researchers uncovered the new module and the giant database. In all likelihood, these addresses were collected for the purpose of targeting them in future TrickBot operations, explains a 12 July blog post by Deep Instinct malware and cyber intelligence expert Shaul Vilkomir-Preisman, who was assisted by fellow researcher Tom Nipravski.

US governmental organisations whose emails show up in the TrickBot database include the Department of Justice, Department of Home Security, State Department, Social Security Administration, Internal Revenue Service, House of Representatives, NASA, the Postal Service and more. Various universities and governmental entities in the UK and Canada were cited in the database, including the UK Ministry of Defense and UK Public Health Office.

"Spot-checking a few thousands of these compromised email addresses against previously recorded leaks and breaches leads us to believe that this is a new mass compromise of e-mails, not previously seen or reported before," says Vilkomir-Preisman in the blog post.

Dubbed TrickBooster, the new module is described by Deep Instinct as an email-based infection and distribution module. TrickBooster harvests credentials and contacts from an infected victim’s address book, inbox and outbox, and can also send spam emails that victim’s compromised account, later deleting those messages from the outbox and trash folders to conceal malicious activity.

Some of the TrickBooster samples observed by Deep Instinct came signed with security certificates – issued by Thawte Consulting and its parent company DigiCert – that seem to originally have been issued to various legitimate small-to-medium businesses within the US. Deep Instinct said that it DigiCert/Thawte has revoked the certificates after being alerted of the scam.

Once downloaded by Trickbot, TrickBooster harvests not only the victim’s list of email contacts but also his or her own e-mail credentials, and sends that information to a malicious C2 server. Such data can later be sold and traded on the dark web.

In the next stage of operation, the server then instructs the malware use the compromised account to send spam to other email addresses – perhaps for monetisation purposes or to spread the malware further.

According to Deep Instinct the malware does an excellent job of covering up its activities by deleting the original infecting executable file. "The result is that it is missed by nearly all scanning security vendors, an impressive stealth factor that is much desired among malware operators," the blog post states.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews