Banking Trojan Infections Persist Throughout the State

The NJCCIC continues to receive reports from New Jersey businesses and organizations that have been victimized by cyber-attacks stemming from banking trojans, such as TrickBot and Emotet. Banking trojans are deployed by threat actors to obtain credentials for sensitive accounts, such as those for online banking and shopping. The majority of these incidents involved malicious, payment-themed emails which appeared to come from a contact familiar to the recipient. Recently, the NJCCIC also detected an email campaign attempting to deliver the TrickBot banking trojan to New Jersey government accounts. These emails appear to come from PayPal, are sent from an address that includes “noreply,” and display the subject line “PayPal account verification form. First warning.” A malicious Microsoft Word document with the filename of “pp-” followed by random digits is attached. If recipients open the document and enable macros to run, TrickBot will install onto their system and download additional malware and modules. The NJCCIC recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-virus/anti-malware solution. Proactively change administrative, domain controller, and user passwords for financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available. Organizations are advised to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to help detect and prevent email spoofing.