Upgraded Trickbot Runs Its Course
If you're monitoring the wider threatscape, it won't be surprising that Trickbot is the number one malware on TruSTAR at the moment. This modular piece of malware has undergone a number of upgrades and has been added as a critical component of multiple campaigns. One of the most effective malware combinations we're seeing is Emotet > Trickbot > Ryuk, but it is also being used with IcedID and Emotet campaigns. There is also yet a new variant of Trickbot out as of this week. Perhaps in a later blog, we will post a write up of the recent evolution and surge.
NJRAT Gaining Popularity
The second most reported malware on TruSTAR is NJRAT and this one is of growing interest due to possible Iranian connections. Iranian APT33 has shifted to using more commodity malware and two weeks ago Insikt Group detailed the use of new infrastructure targeting Saudi Arabia wherein 60% of all malicious activity arising from this activity is tied to NJRat. As such, this malware warrants a closer eye when it appears within US networks.
Smokeloader Continuing to Evolve
The third most seen malware is Smokeloader and this is another case of a tried and true piece of malware undergoing an upgrade. A new variant was discovered in the first week of July that also downloads Azorult as part of its kill chain.
Both Trickbot and Smokeloader highlight a strong trend of linking various pieces of malware to drop other malware, enhance profits, increase persistence, or enabling lateral movement within networks. The success of these combinations will only foment more in the future.
View this OSINT Threat Report on TruSTAR to correlate IOCs with your own data:
Not on TruSTAR yet? Request a demo, and in the meantime download IOCs via .txt file: