It may be time to rethink the Geodo and Trickbot malware. These botnets have recently become more of a threat by increasing in activity and in their variety of delivery mechanisms, utilities, and behaviors.
In a recent campaign Geodo was used to deliver TrickBot (or Zeus Panda depending on the target’s location) via the same phishing campaign. Geodo is a banking trojan which, while capable of acting as a malware downloader, has primarily focused on more direct means of revenue generation, acts such as information stealing. Because it almost always behaves as a stand-alone infection, Geodo’s delivery of a subsequent payload is extremely unusual.
TrickBot is another banking trojan with constantly evolving plugins, which is generally delivered by Office Documents containing either CVEs or Office macros. The distribution methods and activities of these two malware families have generally adhered to predictable patterns—usually with Geodo delivered via a document downloaded from a URL included in the email, and TrickBot delivered as a direct email attachment. However, recent changes to both may require a reassessment of the threat they pose.
Threat Actors Are Investing in More Targeted Campaigns
As we mentioned in a July 3rd blog post, a recently observed Geodo campaign played upon the United States Independence Day to deliver holiday themed emails with more impelling message content than usual and historically patriotic quotes. Simultaneously, the botnet continued its regular campaigns in other regions. The additional effort required to craft emails that are very date or region-specific, shows significant time investment by the threat actors, while simultaneously increasing complexity in Geodo’s delivery infrastructure.
Geodo further stretched its revenue generation model by acting as a downloader for other banking trojans. In one instance, it was widely observed spreading TrickBot, though Cofense Intelligence™ was able to track the same phishing campaign spreading Zeus Panda, an unusual step for the threat actors using Geodo. This may have been part of a growing trend in geo-location-based delivery of second stage malware.
As Geodo increases the targeting and sophistication of its malware campaigns, the TrickBot botnet has also begun making improvements. Namely by the increased usage of certain Tor hosted C2s to download TrickBot modules and updates. An example of this can be seen in an excerpt of the TrickBot configuration file in Figure 1.
Figure 1: TrickBot Configuration File Contents
Figure 2: Unique Malware Campaigns
As seen in Figure 2, both of these malware families are ramping up their distribution of spam campaigns with unique narratives. TrickBot is momentarily exceeding the number of Loki Bot campaigns seen by Cofense Intelligence, and Geodo is not far behind it. Loki Bot has consistently been in Cofense Intelligences’ top 5 most frequently seen malware for some time now. Loki Bot is one of the most common information stealing malware and is popular for its ease of use, versatility, and relatively minimal required investment.
Changes and trends in the tactics, techniques, and procedures of threat actors can take the form of improved phishing delivery infrastructure and narratives, or even changes to the behavior of malware. It is important to stay informed of these trends so that, for example, when a banking Trojan begins delivering additional malware defenders are not caught off guard. Maintaining awareness of the threat landscape is an important part of a multi layered defense strategy that includes user education and training and makes use of threat intelligence to inform and prepare a dynamic defense strategy.
For details on specific campaigns please refer to TIDs 12307, 12370, 12171.
For a look behind and a look ahead at malware and phishing trends, view the 2018 Cofense™ Malware Review.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.