The creators TrickBot the malware added a new module that helped them illegally collect a database of 250 million legitimate email addresses.
According to Deep Instinct, whose specialists have uncovered a new module and a large database, millions of collected addresses are linked to government agencies and employees in the United States. Most likely, these addresses were collected for use in future Nintendo Bot operations, explains in his personal blog on July 12, malware and cyber intelligence specialist Deep Instinct Shaul Vilkomir-Preisman, who was assisted by fellow researcher Tom Niedowski.
U.S. government organizations whose emails are in the Nintendo Bot database include the Department of Justice, the Department of Homeland Security, the U.S. State Department, the Social Security Administration, the Internal Revenue Service, the House of Representatives, NASA, the Postal Service and many others. The database mentioned universities and government agencies in the UK and Canada, including the UK Department of Defence and the UK Public Health Authority.
“Checking several thousand compromised email addresses for leaks and violations leads us to believe this is a new mass email hack that we haven ‘t seen or reported before,” Vilcomir P. said in a blog post.
The new module, dubbed Deep Instinct, is an infection and email distribution module. The Nintendo Booster app collects credentials and contacts from the victim ‘s address book, Inbox and Outbox, and can send spam messages with the victim ‘s hacked account, removing those messages from the Outbox and Trash folders to hide malicious actions.
Some Nintendo Booster samples observed by Deep Instinct were signed by security certificates issued by Thawte Consulting, which appeared to have originally been issued to various legitimate small and medium businesses as part of America ‘s Deep Instinct, which stated that DigiCert/Thawte revoked these certificates after they were reported.
Once downloaded by Trickbot, TrickBooster harvests not only the victim’s list of email contacts but also his or her own e-mail credentials, and sends that information to a malicious C2 server. This data can subsequently be sold and bought on the dark web.
The next step is the server instructing the malware to use the hacked account to send spam to other email addresses – perhaps for the purpose of monetizing or further spreading the malware.
According to Deep Instinct, malware does an excellent job of anonymity of its activities by deleting the original infecting executable. “The result is that it is missed by almost all scan security providers, an impressive stealth factor that is very desirable among malware operators,” the blog post said.