0
1
Individuals who reuse login credentials across multiple sites are more susceptible to account checking attacks, which occur when threat actors use credentials stolen from past database breaches or compromises to gain unauthorized access to other accounts belonging to the same victims. However, the process of mining compromised data for correct username and password combinations requires significant computer processing power and proxy pool lists to be successful — a capability that is now exhibited by the Trickbot gang.
Considered to be the successor of the formidable Dyre banking Trojan gang, the Trickbot banking Trojan gang continues to evolve by adopting new attack methods and targeting various industries. While Trickbot predominantly targeted the financial industry, it has now expanded its targeting of other industries via its account checking activities; these are perpetrated through the backconnect SOCKS5 module enlisting victims as proxies. Enlisting victims as its proxies allows the gang to perform account checking activity with the same IP as its victims. The gang account checking operation requires a steady stream of new and “clean” proxies to make sure their activities wouldn’t get automatically blocked by companies’ automatic IP origin anti-fraud systems. Therefore, their existing infections are turned into account checking proxies.
Image 1: The process of Trickbot’s backconnect proxy account checking activity. In the first step, the Trickbot gang distributes email spam. In the second step, the victim opens the spam attachment. In the third step, Trickbot downloads and executes the payload from the payload server on the compromised machine. In the fourth step, the victim machine downloads the backconnect SOCKS5 proxy module from the module server. Then, the victim connects to the preconfigured gang’s backconnect server. Finally, the Trickbot gang connects to the victim enlisting their machine’s IP as its proxy for account checking activities via its backconnect SOCKS5 module.
To read the original article:
https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/
