The TrickBot Trojan and PoLP (Principle of Least Privilege)

Lots of writing lately on TrickBot – let’s discuss the TrickBot Trojan and PoLP Principle of Least Privilege in detail.

First TrickBot…

Malware poses significant threats to organizations dealing with sensitive information. The term malware, shortened from malicious software, is used to describe any software intended to damage computer systems for hackers to steal information. One particularly dangerous form of malware is the TrickBot trojan, which targets sensitive data and can lead to subsequent infections from other malware. Since its origin in 2016, TrickBot has infected over one million devices. As a trojan, the TrickBot malware cannot reproduce on its own but relies on an unsuspecting user to download it, thinking it’s something else.

Image #1: A recently active malicious campaign baited targets with phishing messages promising annual bonuses, abusing services to infect them with Trickbot banking Trojan payloads. ( TrickBot Trojan and PoLP Principle of Least Privilege )

How Does TrickBot Work? ( TrickBot Trojan and PoLP Principle of Least Privilege )

TrickBot finds its way into a computer through malspam email campaigns, during which an email directs users to visit a malicious website or download the malware through an attachment. The email recipient is tricked into thinking that it may be legitimate, often the sender uses third-party branding familiar to the recipient.

After opening an attachment in one of these fraudulent emails, the user will be prompted to unknowingly run a script that allows the malware to be installed into the computer. After being installed, TrickBot will work to disable antivirus software and determine the IP address of the infected computer. Following installation, TrickBot can steal login credentials, which can be used to access sensitive information meant to be kept confidential. Plus, once the malware has infiltrated the computer, it can be used to download additional malware such as the Ryuk ransomware commonly used in ransomware attacks.

Who Does TrickBot Affect?

Many organizations dealing with sensitive information hackers may find attractive must prepare for the possibility of a TrickBot attack. While TrickBot originated as a banking trojan, it affects many different sectors, especially as a precursor to the Ryuk ransomware. Healthcare institutions, universities, public school systems, government agencies, and businesses all have been faced with TrickBot and subsequent malware infections. Organizations in these sectors are all valuable sources of personally identifiable information, which hackers profit off of.

Recommended Mitigation Measures

To help reduce the incidence of a TrickBot infection, it is recommended that employees are trained to avoid phishing attempts, which is one of the primary modes of the malware’s distribution. Additionally, emails from external sources can be marked so that spoofed emails can be more easily detected. By identifying and avoiding suspicious emails, organizations can be better protected from the effects of TrickBot.

However, if anti-phishing measures fail and a user mistakenly clicks on a malicious link or downloads an infected file, how should an organization prevent TrickBot from accessing sensitive data?

Principle of Least Privilege (PoLP)

To further mitigate risks posed by the TrickBot malware, organizations should adhere to the NIST Special Publication 800-53. This publication outlines security and privacy controls for organizations in an attempt to avoid a diverse set of threats. Specifically, the control PR.AC-6 defines PoLP, which allows “only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.”

This control limits user access to only what is necessary to complete their duties. Since TrickBot can spread laterally across networks, if a user is given access to unnecessary sensitive information, hackers can breach the data once their login credentials have been compromised. Administrative privileges should only be granted to designated users to reduce the risk of their information falling prey to TrickBot.

YouAttest provides automated trigger to follow changes in important users and privileged groups and force and access review.

YouAttest Enforces PoLP by Triggering on Changes on Users and Groups

A best practice for enterprises is to insure that users are not over-privileged – and thus if they are over-taken by TrickBot or any other malware/trojan – they don’t provide excessive access to the hacker.

But how?

YouAttest has a unique way of combining security and audit via it’s event triggering system – that triggers on changes in key user/groups – and FORCES an attestation of the change.

Image #2:   In this case “Mark Millar” has to attest to the movement of a user in the Admin group.   This campaign was automatically created by the YouAttest admin group trigger. (TrickBot Trojan and PoLP Principle of Least Privilege )

Thus, YouAttest agrees with other industry experts that site that best practices can help detect and mitigate changes in privileged accounts.   One of the key measures to put in place is PAM account monitoring.  YouAttest exectues this with its event triggering system that is detailed above and in the webinar.

YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta.   YouAttest demonstrated how YouAttest can help identify PAM attacks in its Special Webinar on securing SSO and SAML.

Please provide your valuable feedback if you found this article worthy of reading about trickbots and also the details about TrickBot Trojan and PoLP Principle of Least Privilege. If you would like more information about the lingering trickbot discussions and the TrickBot Trojan and PoLP Principle of Least Privilege, please write back to us and we will try our best to provide maximum info as needed.