LightBot

LightBot Description

>LightBot is a new malware tool observed as part of the arsenal of the infamous TrickBot hacker. This newest malware creation has taken the place of the BazarLoader Malware as the payload being delivered through a phishing email campaign.

The hackers designed the phishing emails to appear as if they are being sent by an HR department or a legal representative. The fake pretense is that the targeted user has had their employment terminated or that a customer has filed a complaint against them. The email then urges the recipient to click on a link that leads to a Google Docs page. Users are told that previewing the doc hosted there has been disabled and will have to download it. However, instead of the expected 'document.doc' file, a JavaScript file that launches the LightBot PowerShell script is dropped on the computer.

Analysis of LightBot reveals that it is a streamlined infostealer designed to help TrickBot hackers pick out any high-value targets present on the already compromised network. Elevating their criteria for what is considered a worthy target allows the cybercriminals to handpick only a couple of entities that will be infected with the Ryuk Ransomware or other potent ransomware threat.

Hackers carefully craft phishing emails to look as genuine as possible. The emails appear to come from a legal representative or an HR department at a company. The message claims that the recipient has been fired or that a customer has filed a formal complaint against them for some reason. The victim is told to click on a link to open a Google Docs page. The Docs page claims that the file in question can't be previewed and must be downloaded and opened instead. What users download is a JavaScript file that launches the PowerShell script to download and install LightBot on the computer.

Security experts looked into LightBot and what they found was an infostealer virus designed to help the TrickBot team find and choose high-value targets on their network. The malware effectively allows hackers to filter through their network for worthy targets, letting them choose a few entities to infect with Ryuk Ransomware and similar ransomware threats. Taking this careful approach reduces the risk of detection and maximizes profits for hackers.

LightBot connects to the Command And Control (C2) server after installation. The virus maintains the connection and awaits further instructions and PowerShell scripts. The C2 server sends PowerShell scripts that determine which information the hackers receive from LightBot to find potential targets. The scripts harvest data such as usernames, computer names, hardware information, Windows domain controllers, IP address, DNS domain, network card, and a list of programs installed on the computer.

LightBot also creates two new files in the %temp% folder. The first file is a base64 encoded string, while the second is a PowerShell script to decode and execute the base64 string. Researchers believe that this could be how the virus establishes persistence on the system. The PowerShell script creates an automated task to run every day at 7 AM, which would mean the virus starts itself every morning.

The good news is that this virus shouldn't be too difficult to avoid. Computer viruses rely on the naivety and carelessness of internet users. Companies should take the time to educate their workers about LightBot and similar viruses. The malware spreads through phishing emails, so training staff to recognize these emails goes a long way to preventing infection. Establishing a clear HR protocol will also help. If people know they will never receive disciplinary action emails, threat actors can't tempt them to download the file that launches LightBot. These emails are crafted to panic users, so establish situations in which they would never receive an email like that in the first place.

Some basic education and preparation go a long way towards keeping computer viruses away from home and work computers. Viruses can't infect computers without a little help from humans. It's not like you want your computer to get infected, however, so take a moment to learn some basic security practices such as spotting phishing emails, avoiding torrent websites, and recognizing potential threats.

With that said, the advent of LightBot shows just how resilient the team behind TrickBot is. It didn't take the team long to recover after being shut down, and now they have adapted and come up with new solutions to prevent further action against them. TrickBot isn't the only resilient threat out there either. It was impressive Microsoft managed to bring down one of the world's biggest botnets, but they didn't stay down for long. New threats emerge all the time, but sometimes an old one comes back for another round.