The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a security primer on TrickBot malware. TrickBot is a modular banking Trojan that targets users' financial information and acts as a dropper for other malware. An attacker can leverage TrickBot's modules to steal banking information, conduct system and network reconnaissance, harvest credentials, and achieve network propagation.
The MS-ISAC recommends organizations adhere to the following general best practices, to limit the effect of TrickBot and similar malspam in your organization.
- Use antivirus programs on clients and servers, with automatic updates of signatures and software.
- Disable all macros except those which are digitally signed.
- Apply appropriate patches and updates immediately after appropriate testing.
- Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
- If you do not have a policy regarding suspicious emails, consider creating one and specifying that all suspicious emails should be reported to the security and/or IT departments.
- Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
- Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails.
- Provide social engineering and phishing training to employees. Urge them to not open suspicious emails, click on links contained in such emails, post sensitive information online, and to never provide usernames, passwords and/or personal information to any unsolicited request. Teach users to hover over a link with their mouse to verify the destination prior to clicking on the link.
- Adhere to the principle of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.
- Adhere to best information security practices, such as those described in the CIS Controls, which are part of the CIS SecureSuite.
If a user opened a malicious email or an infection is believed to exist, we recommend running an antivirus scan on the system and take action based on the results to isolate the infected computer.
If multiple machines are infected:
- Identify, shutdown, and take the infected machines off the network.
- Do not login to infected systems using a domain or shared local admin accounts.
- Issue password resets for both domain and local credentials.
- As TrickBot scrapes additional credentials, consider password resets for other applications that may have had stored credentials on the compromised machine(s).
- Determine infection vector to see if there was a different primary infection, such as Emotet dropping TrickBot. A TrickBot infection could indicate that there is an active Emotet or other infection on the network and vice versa.
CERT Bulgaria recommends users and administrators to review MS-ISAC's White Paper: Security Primer – TrickBot for more information and best practice recommendations.