IT NEWS

Earlier this week, we spotted a Microsoft sign-in phish that appeared to be taking advantage of the Ukraine crisis in order to scam people. The email warned of unauthorized log in attempts to the recipient’s account, and the location of those attempts was listed as “Russia/Moscow”. We probably won’t ever know whether this campaign is definitely inspired by current events, but one thing is for sure, the latest spam campaign we’ve seen recently is.

In this latest spam mail, which allegedly originates from @president.gov.ua, which is clearly a spoofed domain.

The header image looked like a stretched Ukraine flag, suggesting it was not professionally made. The text below it reads:

A donation campaign has been launched to support Ukraine and also help refugees fleeing the conflict area in Ukraine

The campaign, organized by the humanitarian organization Act of Peace, is hoping to raise $9,000,000 to support refugees in the region.

Stand with the people of Ukraine. Now accepting cryptocurrency donations. Bitcoin, Ethereum, USDT and NFT.

USDT is Tether, a kind of cryptocurrency. It’s interesting to note that they accept NFTs as “donation”.

There are no misspellings, which is seen as a classic red flag in scam mails. Act of Peace is also a legitimate humanitarian organization based in Australia, and it does have an exclusive donations page for the Ukraine crisis. What it probably doesn’t have is access to an email server it can use to send donation emails on behalf of the official website of the President of Ukraine.

Stay vigilant

If you really want to finance humanitarian aid to help Ukrainian refugees, here is a helpful Twitter thread of verified organizations put together by Ukrainians themselves that you can check out.

Remain vigilant. The last thing you want is to hand over your hard-earned money to help the hurting only for it to end up inside scammers’ pockets.

Stay safe!

The post Don’t fall for the “Donate to help children in Ukraine” scam appeared first on Malwarebytes Labs.

Meta says it has detected and removed two disinformation campaigns regarding the current Russia-Ukraine war. These campaigns, it says, were run by groups in Russia and Ukraine to target Ukraine users.

In the post, Nathaniel Gleicher, Meta’s head of security policy, and David Agranovich, Meta’s director of threat disruption said:

“We took down this operation, blocked their domains from being shared on our platform, and shared information with other tech platforms, researchers and governments. This network used fake accounts and operated fictitious personas and brands across the internet — including on Facebook, Instagram, Twitter, YouTube, Telegram, Odnoklassniki and VK — to appear more authentic in an apparent attempt to withstand scrutiny by platforms and researchers.”

They noted that the fictitious personas used in these campaigns were likely generated using generative adversarial networks (GAN), technology that is used in disinformation campaigns with the use of fake videos and several fraud scams. These personas claim to be within Ukraine and in white-collar jobs pre-conflict.

The misinformation campaign involves websites masquerading as independent news outlets that push claims that the West has failed Ukraine and that it’s now a failed state. Meta links the campaign with a previous campaign it removed in April 2020. Both are linked to individuals in Russia, Donbas—a region in Ukraine populated by separatist groups, most of whom are “ethnically Russian and identify as Russian,” and media organizations previously sanctioned by the US government.

Gleicher and Agranovich also said Meta had seen Ghostwriter—a known hacking group aligned with Belarusian government interests—targeting Ukrainian Facebook and Instagram users in the past several days.

“We detected attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender.”

In a previous post, we noted that misinformation is one of the six risks internet users could encounter online during this crisis period. To curb this and other online threats, Meta has rolled out additional security and privacy measures to protect both its users in Ukraine and Russia.

On top of promoting fake news, Ghostwriter has also targeted Ukrainians with phishing attacks, Gleicher and Agranovich said. Meta already blocks these phishing domains.

“We encourage people to use caution when accepting friend requests and opening links and files from people they don’t know. Please refrain from reusing the same passwords across different services to prevent malicious hackers from gaining access to your information. We also strongly recommend using two-factor authentication on all online accounts.”

The post Meta blocks Russia-Ukraine disinformation campaigns on Facebook, Instagram appeared first on Malwarebytes Labs.

I have long said that Deepfakes missed the boat on being stealthy, believable pieces of footage able to turn the tide of elections or other major events. We’ve seen time and again how suggested examples of use during important happenings have been terrible, whereas the smart use has tended to be quiet, low level affairs as a stepping stone rather than an end goal.

The other stance on this is that people will find moving imagery more believable than photographs or AI generated text. This is an entirely fair point of view, and we can’t really say for sure that nothing seriously bad on the global scale will ever come from a deepfake. However, one study suggests the fakers still have a way to go before that becomes a possibility.

Audio and visual clues

The Register reports that researchers at MIT have pulled the rug on the whole deepfake issue. Just over 5,000 people participated in a video/audio versus text transcript showdown. The task: figure out whether audio, video/audio, and text transcripts of Joe Biden and Donald Trump were real or fake. The results:

Video and audio: 82% guessed correctly

Audio only: 76% guessed correctly

Text only: 57% guessed correctly

One would assume text only is going to be quite the dice-throw. In terms of video, are we getting better at spotting the joins, the edits, the slight uncanny valley effect in most deepfake content? Have we somehow trained ourselves to know when something isn’t right by virtue of having seen so many pieces of deepfake content over the last few years?

These aren’t questions we have answers for yet, although as always, we may have more pressing concerns anyway.

Who needs Deepfakes?

I’m a fan of the path of least resistance idea where deepfakes are concerned. That is to say, are there simpler ways to achieve the desired effect of a deepfake with simpler methods? And, if so, why even reach for the deepfake in the first place? It’s a lot of hard work for something with a big risk of little to no pay off.

A good case in point: the many, many pieces of dis/misinformation currently surrounding events in Ukraine. Deepfakes aren’t being used; it’s just regular footage spliced in whatever way is required. Tricky, sophisticated AI generated fakes may not be required when simple photographs or viral videos are mislabeled and made viral.

In the last few days alone, we’ve seen several examples of this phenomenon doing big numbers on social media, quite often promoted by verified (and perhaps mistaken as authoritative) commentators on social media:

Digitally doctored video versus jpegs

Commentators continue to warn of the dangers of deepfakes, but look at the example from this video. His head moves oddly and doesn’t look properly connected to the peculiarly flat-looking body. The mouth moves strangely at various points throughout. Even without using tools to analyse the footage, there’s clearly something very wrong with the content. So, we’re right back where we started: tried and tested methods, with less demanding technical overheads. When upwards of 14 million people are being told Steven Seagal is on the frontline thanks to a hasty image edit, the impact of overwrought deepfakes recedes into the distance.  

When fakes fight fakes

On top of everything else, we have the peculiar sight of face-swap apps trying to disseminate real information. With what is claimed to be 9 million messages sent out related to one campaign, and 2 million of those being sent to users in Russia, it’s arguable that the most interesting and pervasive use of deepfake tech during a major event is to essentially cancel its own power.

Strange times indeed for the AI-altered revolution which never quite seems to land.

The post Deepfake study suggests fakes can run but not hide appeared first on Malwarebytes Labs.

The Chrome team announced the promotion of Chrome 99 to the stable channel for Windows, Mac and Linux on March 1, 2022. This will roll out over the coming days/weeks.

In the desktop version, a total of 28 vulnerabilities were closed. Of these, 11 were classified as high, 15 as medium and two as low. Below we will discuss a few of those vulnerabilities as far as there are details available.

The Chrome versions for iOS and Android were also updated, to 99.0.4844.47 and 99.0.4844.48 respectively. These updates are stability and performance improvements.

Vulnerabilities

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). All the vulnerabilities discussed below were classified as high and found by external researchers.

CVE-2022-0789: Heap buffer overflow in ANGLE. ANGLE is used as the default WebGL backend for both Google Chrome and Mozilla Firefox on Windows platforms. Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, the two common areas that are targeted for overflows are the stack and the heap.

CVE-2022-0790: Use after free in Cast UI. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. The Cast UI is the menu that allows you to cast a browser tab to an external screen, e.g. via Chromecast.

CVE-2022-0791: Use after free in Omnibox. The Omnibox is the Google Chrome address bar which is called Omnibox because it can be used for many other functions besides surfing to a web address.

CVE-2022-0792: Out of bounds read in ANGLE. An out of bounds read vulnerability means that the program reads data from outside the bounds of allocated memory. Potentially this type of vulnerability could be used to exfiltrate data from the affected machine.

CVE-2022-0793: Use after free in Views. Views is the framework that allows Chrome developers to build a custom user interface for use on the Windows platform.

CVE-2022-0794: Use after free in WebShare. Web Share is an API for sharing data (text, URLs, images) from the web to an app of the user’s choosing. A user can share current tab and selected text using the installed apps on their computer.

CVE-2022-0795: Type Confusion in Blink Layout. A type confusion vulnerability exists when a piece of code doesn’t verify the type of object that is passed to it. In some cases of type confusion, wrong function pointers or data are fed into the wrong piece of code. Under some circumstances this can lead to code execution. Blink is an open-source browser layout engine developed by Google as part of the Chromium Project and part of the Chrome browser.

CVE-2022-0796: Use after free in Media. The Media component is used to display many media types in the browser.

CVE-2022-0797: Out of bounds memory access in Mojo. Mojo is a platform for sandboxed services communicating over IPC. Inter-process Communication (IPC) is the component that was designed to regulate communication between the processes in Chrome’s multi-process architecture.

As more details about the vulnerabilities will be released once everyone has had a chance to install the latest version, we will keep you posted on any important additional information.

How to update

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. However, you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Nearing 100

The desktop version has now been updated to the new version 99 (99.0.4844.51), which means we are one step closer to the potential problems with user agent strings that may arise when we reach major version 100. This is currently slated for released on March 29.

Stay safe, everyone!

The post Google launches Chrome 99, fixes 28 vulnerabilities appeared first on Malwarebytes Labs.

On March 1, US President Joe Biden gave his first State of the Union Address (SOTU) speech to Congress.

In it, Biden highlighted the dire need to get help for teens with mental health issues. He demanded tech companies implement more robust privacy protections for kids and teens using their online services, stop targeted advertising geared towards the youth, and stop collecting their data in general.

“Second, let’s take on mental health. Especially among our children, whose lives and education have been turned upside down.  

The American Rescue Plan gave schools money to hire teachers and help students make up for lost learning.  

I urge every parent to make sure your school does just that. And we can all play a part—sign up to be a tutor or a mentor. 

Children were also struggling before the pandemic. Bullying, violence, trauma, and the harms of social media. 

As Frances Haugen, who is here with us tonight, has shown, we must hold social media platforms accountable for the national experiment they’re conducting on our children for profit. 

It’s time to strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children. 

And let’s get all Americans the mental health services they need. More people they can turn to for help, and full parity between physical and mental health care. “

Haugen, also a guest of First Lady Jill Biden, used to work for Facebook as a data scientist and product manager before turning into a whistleblower. She was responsible for a series of explosive revelations made by The Wall Street Journal (WSJ) last year, sourced from internal data she leaked. The White House release called Haugen an “advocate for more humanity and transparency across the tech and social media industry, especially as it relates to teen mental health.”

Cecilia Kang (@ceciliakang), a tech reporter for the New York Times and author of the book, “An Ugly Truth: Inside Facebook’s Battle for Domination,” calls the highlighting of targeted advertising on kids in a SOTU speech “progress.”

The Biden administration has yet to reveal how they will hold tech companies accountable, and crackdown on collecting children’s data. But it seems like the online space has just become a slippier slope to traverse for any company that plans to create platforms or services geared towards children (Instagram comes to mind).

If anything, the multiple legislative filings by US senators and state lawmakers could be seen collectively as one of the underlying precursors to Biden’s SOTU speech. We now have the Kids Online Safety Act (KOSA), introduced in mid-February, and California lawmakers are about to introduce a new bill aimed at protecting childrens’ online data.

If more legislation is needed to make true data privacy for kids a reality, Kang admitted in her tweet that it would be challenging. And when it comes to attempting to address the harm caused by social media to teens, it would be costly, according to Sarah Owermohle, health reporter for POLITICO:

“Those proposals are expected to cost hundreds of millions of dollars between them and Congress has been slow to move on the budget, let alone new funding initiatives.”

The post Biden wants stronger privacy protections, no targeted ads for children appeared first on Malwarebytes Labs.

Toyota suspended the operation of 28 lines at 14 plants in Japan on Tuesday, March 1, after a cyberattack on supplier Kojima Industries Corp. Some plants operated by Toyota’s affiliates Hino Motors and Daihatsu are included in the shutdown.

Hino suspended all operations at its Koga facility, which manufactures large and midsize trucks for export and domestic sale, and its Hamura plant, which makes small trucks and handles production for Toyota. The shutdown also includes a Daihatsu plant in Kyoto Prefecture.

Kojima

Kojima is a business partner of the Toyota Motor Corporation that manufactures interior and exterior automotive components. For Toyota, Kojima is a domestic supplier of plastic parts and electronic components.

Toyota said it expects to be able to resume all operations from the first shift today, March 2.

In a statement about the production halt, Toyota said:

“We will also continue to work with our suppliers in strengthening the supply chain and make every effort to deliver vehicles to our customers as soon as possible.”

Toyota went on to apologize to its customers, suppliers, and other related parties for any inconvenience caused by the sudden shutdown.

Just-in-time

This is the second blow to Toyota production this year. Earlier in February it saw some of its production stopped in North America due to parts shortages caused by the Canadian trucker protests. And this while it is already tackling supply chain disruptions around the world caused by the Covid pandemic, which has forced Toyota and other carmakers to curb output.

Just-in-time delivery systems provide goods as orders come in, allowing for a lean, at-need production process with little to no surplus. But as we’ve learned from the pandemic, these types of systems are vulnerable to sudden peaks in demand, as well as disruptions in the supply chains. Depleting supply chains has already hit several industries, especially at the beginning of the pandemic.

To western style economies, a continuous flow of goods and components is of the utmost importance. We regard transport and logistics as vital infrastructure for compelling reasons. Many of our factories depend on components made on the other side of the globe. But as we can see from the example at hand, even a disruption at a domestic supplier can stop the production lines.

Many of the roughly 400 tier one suppliers that Toyota deals with directly are connected to the automaker’s just-in-time production control system, which allowed the problems at Kojima Industries to spill over to Toyota. The automaker says it halted production to prevent longer-term damage, and prioritized inspection and recovery of the system.

The attack

Kojima said it was still investigating the origin of the cyberattack, the specific malware involved and the damage caused. Toyota representatives and cybersecurity experts are at Kojima Industries to determine the cause and how to restore the system. As of the time of this writing, the website for Kojima Industries is not online.

Needless to say speculation is rampant, but without further information about the nature of the attack, it is near impossible to tell whether this attack can be linked to any ongoing cyberattacks related to the situation in the Ukraine, or whether it is the result of a run-of-the-mill ransomware attack.

Prime Minister Fumio Kishida said that it was premature for anyone to tie the cyberattack to Japan’s decision to send $100 million in aid to Ukraine and sanction officials from Russia. The Japanese government is working to confirm the situation while law enforcement is looking into the matter.

Stay safe, everyone!

The post Toyota’s just in time manufacturing faced with disruptive cyberattack appeared first on Malwarebytes Labs.

We’ve received an interesting spam email which (deliberately or not) could get people thinking about the current international crisis. Being on your guard will pay dividends over the coming days and weeks, as more of the below is sure to follow.

Unusual sign-in activity detected?

The email’s subject line, “Microsoft account unusual sign-in activity”, is always guaranteed to attract some attention. It continues:

Unusual sign-in activity

We detected something unusual about a recent sign-in to the Microsoft account

Sign-in details

Country/region: Russia/Moscow

IP address:

Date: Sat, 26 Feb 2022 02:31:23 +0100

Platform: Kali Linux

Browser: Firefox

A user from Russia/Moscow just logged into your account from a new device, If this wasn’t you, please report the user. If this was you, we’ll trust similar activity in the future.

Report the user

Thanks,

The Microsoft account team

The mail provides a button to “report the user”, and an unsubscribe option. Should the recipient click the button, they’re not forwarded to a report page. Instead, it’s a Mailto: URI which opens a fresh email with a pre-filled message to be sent to a specific email account.

In this case, the email’s subject line is “Report the user”, while the phisher’s mail address claims to be some form of Microsoft account protection. They also managed to spell account wrong – “acount”. 

Don’t reply: report and delete

People sending a reply will almost certainly receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk from losing control of their account to the phishers. The best thing to do is not reply, and delete the email.

Is this mail deliberately or accidentally referencing world events?

We have to be very clear here that anybody could have put this mail together, and may well not have anything to do with Russia directly. This is the kind of thing anyone anywhere can piece together in ten minutes flat, and mails of this nature have been bouncing around for years.

But, given current world events, seeing “unusual sign-in activity from Russia” is going to make most people do a double take, and it’s perfect spam bait material for that very reason.

While the mail explicitly targets Microsoft account holders, Outlook is flagging this missive and dropping it directly into the spam box. This probably isn’t something the mail creators need, quite frankly. However, this is great news for everybody else.

Miss it, miss out

Trying to panic people into hitting a button or click a link is an ancient social engineering tactic, but it sticks around because it works. We’ve likely all received a “bank details invalid”, or “mysterious payment rejected” message at one point or another.

Depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s “big deal” is another one’s “oh no, my stuff”. That’s all it may take for some folks to lose their login, and this mail is perhaps more salient than most for the time being.

The post Unusual sign-in activity mail goes phishing for Microsoft account holders appeared first on Malwarebytes Labs.

Data breaches are one of the most reported cyberattacks against businesses—regardless of size and industry. And while this has highlighted cybersecurity gaps on so many fronts, some companies are still not prioritizing them as they should. Some have scrambled to be compliant but then find themselves successfully breached weeks or months after getting certified.

Unsurprisingly, many current and potential customers respond negatively to companies that have been breached. This is evident in the global consumer survey conducted by software company, Axway.

For many, a breach is treated as proof that companies are not doing what they’re supposed to with their data, and that is to primarily secure it at all cost, especially when businesses are placed high on their attack list. Companies saying that they take the security of their customers “very seriously” looks more like lip service than genuine concern over data security.

According to the survey, respondents are more comfortable with businesses in the financial (65 percent) and health (50 percent) sectors to protect their data. On the flip side, they are less confident entrusting their data to insurance companies (31 percent), retailers (26 percent), and educational institutions (31 percent).

When asked, “Would an online retailer’s lack of security for your private data prevent you from making a purchase through their website?”, 68 percent gave a resounding YES. This number is even higher—75 percent—when asked if they’d stop doing business with a company that has fallen victim to a breach or cyberattack that potentially compromised data. For companies with a history of cyberattacks or data breaches, 50 percent say they would not do any business with them.

While the numbers are stark and telling for any organization, only 12 percent of respondents said they would never engage with companies with such a history. It’s not completely bleak for breached companies though. It seems most survey takers—81 percent—would continue to use the brand provided that (a) the company has already addressed the issue that resulted in the breach or (b) consumers have done something on their end to help mitigate the problem, such as changing their login credentials.

“Security breaches and privacy concerns are another snag in the fabric that harms the frictionless experience people have come to expect,” said Brian Pagano, chief catalyst and VP at Axway, “In an increasingly connected world, we will continue to hear about security leaks. You can establish trust by giving consumers peace of mind about the back-end complexity thanks to secure solutions. And then, you can focus on the job of providing those brilliant new customer experiences.”

The post Data breaches leave customers very shaky, report says appeared first on Malwarebytes Labs.

On February 27, an individual with insights into the Conti ransomware group started leaking a treasure trove of data beginning with internal chat messages. Conti is responsible for a number of high profile attacks, including one against the Irish Healthcare system which has cost more than $48 million and more importantly has had an unprecedented human impact.

Only shortly before, the Conti gang had announced its support for the Russian government despite international outrage for the invasion and war on Ukraine. We believe this triggered a strong emotional reaction from either a threat actor or someone with unique access to Conti’s infrastructure.

The Twitter handle @ContiLeaks has been posting extremely valuable data about Conti and its members. The tweets include screenshots, raw data files and even the ransomware source code. In between data dumps the actor — who is likely a Ukrainian national — is seen expressing his disgust and anger.

Due to the sheer volume of data and the fact that a large portion of chats are in Russian, it will take some time to process and analyze. What we know already is that there is extremely valuable information about the Conti ransomware group, in particular about how they work as an organization and how they target their victims.

While Conti is quite resourceful and will probably rebound, there is no doubt that these leaks will cost them a great deal of money and possibly instill fear about their identification as individuals.

The Malwarebytes Threat Intelligence team continues to track and analyze this data dump as well as other cyber threats related to the war in Ukraine. Any intelligence that is collected is passed on and used to protect our customers.

Indicators of Compromise

The post The Conti ransomware leaks appeared first on Malwarebytes Labs.

The king of tricks is dead. Long live the new king. Or will it make a comeback?

While we already assumed TrickBot was dead in the water, the shutdown of the server infrastructure on February 24, 2022, did not go unnoticed. Is this really the end of one of the most active botnets in the last decade?

History

The rise of TrickBot started when it was a banking Trojan designed to steal personal financial data. Initial development started in 2016, with many of its original features inspired by Dyreza which was another banking Trojan.

Fast forward a few years to 2018, and due to its modular build and the capabilities to move laterally in a network TrickBot has become the top-ranked threat for businesses. Back then, the authors of TrickBot were agile and creative, regularly developing and rolling out new features. The separate modules made it easier to develop new capabilities and use the malware for several purposes. For example, in 2019 researchers found a new feature in TrickBot that allows it to tamper with the web sessions of users who were on certain mobile carriers. Other features such as disabling real-time monitoring from Windows Defender were also added at some point.

In 2021, a number of arrests were made that provided some insight into the scale and complexity of the TrickBot group. These arrests also seem to have been some of the starting points that marked the end of the group. Some might have felt insecure, even with all the safety guards they deployed to keep their true identity secret, seeing some of their co-workers getting indicted.

Cooperation

The ransomware scene can be compared to any legitimate business vertical in more than one way. You will see short lived cooperation, fusions, and staff moving from one company to another. Some of the malware peddlers and ransomware gangs have established a relationship that can be described as being in league with each other. Given their nature and the amount of money that goes around in these ransomware groups, they are sometimes referred to as (cyber)crime syndicates.

Over the years we’ve seen several campaigns where Emotet acted as a dropper for the TrickBot trojan. TrickBot then stole the financial information it was after, and downloaded the Ryuk ransomware. This Emotet-TrickBot-Ryuk supply chain was feared worldwide and turned out to be extremely resilient. After Ryuk’s rebranding to Conti this did not change. But Conti has grown over the years and expanded to the point that it can now be considered one of the major players in this ”industry” in its own right.

Its relationship with TrickBot was one of the primary reasons for the rapid rise of Conti. At some point, Conti turned into the sole end-user of TrickBot’s botnet product. By the end of 2021, Conti had essentially acquired TrickBot, with multiple elite developers and managers making the move to join Conti.

The end(?)

There are a few contributing factors that indicate that this may really be the end of TrickBot.

• The move of developers and managers to Conti, and possibly other gangs.
• The high detection rate for TrickBot. A less actively developed malware becomes an easy target for detection and remediation routines.
• The rise of the BazarLoader which used to be a part of Trickbot’s toolkit, but has now been developed into a fully autonomous tool. It seems the likely candidate for Conti to develop further.
• The voluntary shutdown of the servers and the fact that they hadn’t set up any new servers for months.
• The lack of new TrickBot email spam campaigns in the year 2022.

Renowned researchers expect this to be the end of TrickBot as we know it.

That doesn’t mean it can’t rise like a Phoenix from the flames with a new label or under different management. Most of the people who have led and developed TrickBot throughout its long run will not simply disappear from the scene, but find new employers, like Conti.

Whether we will notice that TrickBot is gone remains to be seen. Plenty of new infiltration methods are available to the ransomware gangs and their affiliates. And it will probably even take years before we stop seeing TrickBot detections, dormant or not, on some system.

The post TrickBot takes down server infrastructure after months of inactivity appeared first on Malwarebytes Labs.