New LightBot Reconnaissance Malware is Now Being Used to Scope Out High-Value Targets Within Organizations

Dec 17, 2020

New LightBot Reconnaissance Malware is Now Being Used to Scope Out High-Value Targets Within Organizations Image

Over the past month, security researchers have observed a new development in regards to Trickbot phishing campaigns. Instead of distributing TrickBot’s BazarLoader malware like usual, there has been a switch to installing a new malicious PowerShell script. This script, dubbed LightBot, is a lightweight reconnaissance tool used to gather information on a victim’s network, allowing cybercriminals to assess their value as candidates for ransomware attacks.

“The new TrickBot group “LightBot” is a PowerShell reconnaissance script used by the same group linked to the high-level ransomware and breach incidents involving Universal Health Service (UHS). LightBot is focused on reconnaissance for high-value targets via network and active directory (similar to the FIN7 reconnaissance profiler script).”

Vitali Kremez, Advanced Intel.

Like BazarLoader phishing campaigns, LightBot phishing emails trick users by pretending to be from human resources or the legal department, contacting users regarding customer complaints or the termination of the recipient’s employment. The embedded link downloads and launches the LightBot PowerShell script, which makes repeated connections to a
command and control (C2) server to receive additional scripts and send back collected data. The collected information allows cybercriminals to identify valuable targets and launch more effective ransomware attacks in the future.

The key takeaway from this tactical change is that cybercriminals are doing their homework. Organizations must understand the calculated and patient nature of sophisticated cyberattacks. Attacks are not carried out on a whim, and attackers will collect intel for extensive periods of time before they strike. Cybercriminals gather and analyze open-source information to identify ways to access your network even before probing your organization. To combat this level of preparation, extensive preparation is required from your organization. This is why Secuvant offers services that support organizations in being proactive regarding their security. We work with organizations to monitor endpoints, educate employees, and instill a good cybersecurity culture to counter these attacks and secure your network.

“PowerShell continues to be integrated into attacks as seen with the LightBot script. Secuvant’s SIEM can monitor PowerShell components (operations, security, compliance) and alert on remote session attempts and command execution.”

Secuvant’s Director of Security Operations, Eric Peterson
About Secuvant

Located in Salt Lake City, Utah, Secuvant is a global leader in integrated cyber threat analytics and risk advisory services, built on a value system of client focus, integrity, accountability, execution, and teamwork. Secuvant’s mission is to provide clients with a Clear Path Forward in their pursuit of establishing an acceptable security risk posture. Secuvant’s success is built upon strict adherence to its values, a functioning world-class advisory board, the unique combination of cybersecurity expertise and industry / vertical specialization, and a team of experts that repeatedly deliver best-in-class managed and advisory cybersecurity and risk services. Secuvant understands Cyber Risk is Business Risk™ and uses methodologies and metrics aimed at minimizing business risk. Services include, but are not limited to, Security Gap and Risk Assessments, Risk Program Management, Executive and Board Cyber Advisory, Penetration Testing, Security Monitoring, Managed Detection and Response and Incident Response services. To learn more, visit