Trickbot banking malware has infected over 140,000 devices since 2020: Check Point Research

Trickbot, a banking Trojan virus that targets businesses and consumers for their data, has infected over 140,000 devices belonging to customers of Amazon, Microsoft, Google and 57 other corporations since November 2020, according to cyber threat intelligence firm Check Point Research (CPR).
“Trickbot’s numbers have been staggering. We’ve documented over 140,000 machines targeting the customers of some of the biggest and most reputable companies in the world. We went on to observe that the Trickbot authors have the skills to approach malware development from a very low-level and pay attention to small details,” Alexander Chailytko, cyber security research and innovation manager at Check Point Software Technologies, said in a press statement.
CPR observed that Trickbot’s authors are selectively going after high-profile targets to steal and compromise their sensitive data.  “At the same time, we know that the operators behind the infrastructure are very experienced with malware development on a high level as well,” he added.
Trickbot is generally used to steal banking information, account credentials, personally identifiable information, and even cryptocurrency. It is a highly modular malware that can be adapted to different use cases, which is what makes it so much more dangerous.
Its infrastructure can be utilised other malware families to cause more damage. Since Trickbot authors are taking advantage of anti-analysis and anti-deobfuscation techniques allowing the malware to pers on machines, CPR recommends only opening documents from trusted sources.
Percentage of organisations’ customers impacted Trickbot in different regions. The darker the colour, the higher the impact. (Image credit: Counter Point Research)
Some of the other companies whose customers were targeted the attackers include PayPal, Wells Fargo, American Express, and the Bank of America. In CPR’s l of 60 companies whose customers have been infected Trickbot, the most infected regions are in the following order: APAC, Latin America, Europe, Africa, North America.
A Trickbot attack typically begins with the attackers sending malicious documents to email addresses. Once the user downloads and opens these documents, the first stage of the malware is executed and the main Trickbot payload is downloaded. The payload is then executed and it establishes its persence on the infected machine.
Attackers can include modules for spreading through compromised corporate networks, stealing corporate credentials, stealing login details to banking sites etc, as well, according to Check Point.