Cyberthreat intelligence company, SentinelOne has released the world’s first report linking North Korea to the TrickBot crimeware incidents.
Threat intelligence company, SentinelOne has released the world’s first report linking North Korea to the global crimeware incidents. The project titled, “Trickbot Project “Anchor:” Window into Sophisticated Operation“, clearly establishes a direct link between “Lazarus” and Crimeware Group “TrickBot”.
According to the SSLStore, the global cybercrime economy earns around USD 1.5 trillion yearly. In 2018, half a billion personal data were stolen by hackers. By 2021, the cyber threat intelligence market will be worth USD 6 trillion, and yet only 23% of businesses are prepared against any kind of threat.
TrickBot’s Evolution as a Cyberthreat
According to The Multi-State Information Sharing and Analysis Center (MS-ISAC), a TrickBot is a global malware group that inflicts Trojan cybercrime on systems. TrickBot gang specifically targets users’ financial information and acts as a dropper for other malware. With AI and ML techniques, the malware insertion has become more sophisticated and hard to detect.
MS-ISAC also states in its security primer that an attacker can leverage TrickBot’s modules to steal banking information, conduct system and network reconnaissance, harvest credentials, and achieve network propagation.
IBM X-Force researchers had first detected TrickBot in 2016. It was reported that the Trojan malware leverages advanced browser manipulation systems to attack banking scenarios. TrickBot malware uses both server-side injection and redirection techniques.
Other techniques include remote file inclusion (RFI), SQL injection and cross-site scripting (XSS). Backdoor shells are used to expand cyber heists within the targeted environment.
According to SentinelOne, TrickBot in 2019 is very different from its 2016 avatar. It is a more flexible, universal, module-based crimeware solution. Trojan developers are working against cybercrime regulations and continuously evolving TrickBot into a fully functional attack framework leveraging the project called “Anchor.”
Cyberthreat Intelligence Companies Examine Crimeware Mechanisms
The Center for Internet Security (CIS) found an evident link between TrickBot and the Ryuk ransomware attacks. According to CIS, TrickBot sends HTTP requests in a certain pattern that can only be identified by expert anti-cybercrime groups. The following websites are used to determine the infected host’s public IP address:
TrickBot uses HTTP/HTTPS GET and POST requests to download modules and report stolen information/credentials to the C2 server. – CIS
What is an ‘Anchor’ in a Cyberthreat?
The newly published project identified the world’s first Anchor in TrickBot. The Anchor Project is a collection of sophisticated tools that mask the existence of any form of malware on the victim’s machine, leaving the machine vulnerable to an enterprise-level cyber attack. The Anchor uses both custom and existing toolage.
In the current report, SentinelOne found the link between Lazarus PowerRatankba and banking systems, including the ones used to attack medium-sized retail businesses amongst other corporate entities using point-of-sale (POS) systems.
How TrickBot Operates?
According to SetinelOne, TrickBot gangs serve the Advanced Persistent Threat (APT) communities. According to Kaspersky, these APTs have a very flexible framework that “uses continuous, clandestine, and sophisticated hacking techniques.”
The modules work in a certain manner that marks its existence. The most-noted models are:
- Personal Information stealer that mines, analyzes, sells and manipulates data for an underground agency.
- Banking systems and human hackers stealing credit card and account information.
Cyberthreat Intelligence Fidns The Korean Connection
SentinelOne has found an obvious Korean connection to TrickBot heists. These are called the Lazarus Group. The gangs use aliases such as “Hidden Cobra,” and “Kimsuky” to stay underground and keep their activity masked in the system. Together with many such groups, TrickBot models are constantly evolved to meet cyber heist goals for the Advanced persistent threat (APT) groups. APTs “Bureau 121” (121국), the cyber warfare division of North Korea’s RGB. Today, such APTs are spread across many global locations. Most of these are based in Russia, China, Vietnam, Iran, and the US.
Top Cyberthreat Intelligence Companies Fighting APTs
There are at least 100 cybersecurity providers that are fighting TrickBot and APTs. These are:
- Digital Shadows
(To publish your story here, please write to us at email@example.com)