The operators of the prolific Trickbot banking botnet have begun offering advanced persistent threat actors access to a sophisticated new attack toolset called Anchor for exploiting the networks of high-value targets that the malware previously has compromised.
Researchers at security vendor SentinelOne's newly established SentinelLabs recently spotted North Korea's notorious state-backed Lazarus Group using the toolset to deploy one of its own malware samples on the network of an Anchor victim.
The discovery is significant because financially motivated crimeware operations like Trickbot so far mostly operated completely separately from APT campaigns — especially state-backed ones — that are typically more focused on data theft, surveillance, and other long-tailed activities.
"The maturity of the crimeware models and convergence of threats force us to rethink our defenses," says Vitali Kremez, lead cybersecurity researcher at SentinelLabs.
"Criminals and the nation-state are hunting for high-value targets and [collaborating] on their breach accesses," he says. Organizations now have to be concerned not just about criminal groups, but of crimeware threats that might mature into APT activity, Kremez notes.
Trickbot's operators, who started in 2016 by using the malware to steal money from online banking accounts, have over the years morphed into a massive crimeware-as-a-service operation. Trickbot itself has evolved from a tool for stealing bank account login information to a tool that can perform a variety of malicious functions — including delivering ransomware, banking Trojans, and cryptominers.
The operators of Trickbot have built a database of information on networks that they have compromised, which other attackers can access and use for a fee to deliver ransomware and carry out attacks of their own.
So far, Trickbot's crimew ..
Support the originator by clicking the read the rest link below.
