Security Experts:

Connect with us

Hi, what are you looking for?



Five Months After Takedown Attempt, CISA and FBI Warn of Ongoing TrickBot Attacks

Attacks employing the TrickBot malware continue, leveraging phishing emails as the initial infection vector, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) warn.

Attacks employing the TrickBot malware continue, leveraging phishing emails as the initial infection vector, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) warn.

In a joint advisory published on Wednesday, the two agencies revealed that a sophisticated group of cybercrime actors is leveraging a traffic infringement phishing scheme to lure victims into downloading the TrickBot malware.

Initially observed in 2016 and believed to be the work of the threat actors behind the Dyre Trojan, TrickBot has become one of the most prevalent malware families out there, ensnaring machines into a botnet that was being offered under a malware-as-a-service model to both nation-states and cyber-crime groups.

In October 2020, Microsoft announced the takedown of the infrastructure behind TrickBot, but the malware survived the attempt. In fact, weeks later, it received several updates that increased its resilience against similar attempts and also provided it further compromise capabilities.

Now, CISA and the FBI reveal they have observed “continued targeting through spearphishing campaigns using TrickBot malware in North America,” thus confirming that TrickBot’s operators were able to restore their malicious operation.

“CISA and FBI are aware of recent attacks that use phishing emails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that redirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic violation,” the joint advisory reads.

Once the victim clicks on the image, however, a malicious JavaScript file is downloaded. When executed, the file connects to the attackers’ command and control (C&C) server to fetch and run TrickBot on the victim’s system.

A modular piece of malware, TrickBot is capable of stealing information from the victims’ browsers, spread laterally across the network, gather system information, manipulate system data, exfiltrate information, mine for crypto-currency, search for vulnerabilities in system firmware, and drop additional payloads onto the system, such as Emotet or the Ryuk and Conti ransomware.

In their joint advisory, CISA and FBI included a series of recommendations for network defenders looking to improve their security posture and stay better protected against TrickBot attacks. The recommendations apply to security teams at federal, state, local, tribal, and territorial governments, but also to those in the private sector.

Related: CISA Issues Advisory for High-Severity Vulnerabilities in Fuji Electric HMI Products

Related: CISA Says Many Victims of SolarWinds Hackers Had No Direct Link to SolarWinds

Related: CISA Warns Organizations About Attacks on Cloud Services

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...