In a scene straight out of a zombie television series, the TrickBot malware has risen from the dead with a new attack the may have targeted as many as 250 million email accounts, including those belonging to U.S. government employees.

Season four of TrickBot, as described Friday by researchers at cybersecurity firm Deep Instinct Ltd., is back in the form of a variant that includes a cookie stealing module as well as a malicious email-based infection and distribution module that steals and shares signing certificates.

The latter module is being used in a campaign to harvest email credentials and contacts from a victim’s address book, inbox and outbox, with the added feature of sending out malicious spam emails from a compromised account to infect others. The new TrickBot version also deletes sent messages from both the outbox and trash folder of a victim to hide its presence.

The malware, coming in the form of an email attachment, forces a user to download TrickBooster, malware that reports back to a command-and-control server with details stolen from the victim’s email account.

The new version of TrickBot, which was mostly known for targeting bank and cryptocurrency accounts, is now exclusively all about email harvesting. “We managed to recover a database containing 250 million e-mail accounts harvested by TrickBot operators, which most likely were also employed as lists of targets for malicious delivery and infection,” the security researchers wrote. “The data base includes millions of addresses from government departments and agencies in the U.S. and the U.K.”

The list of U.S. government departments where email accounts have been targeted and possibly compromised in the new TrickBot campaign is not only disturbing but is also why Season 4 of TrickBot is newsworthy.

Email accounts include those from the U.S. Department of Justice; Homeland Security; State; Bureau of Prisons; Social Security Administration; Bureau of Alcohol, Tobacco and Firearms; Internal Revenue Service; Federal Aviation Administration; National Aeronautics and Space Administration; Department of Transportation; and various others.

In an age of paranoia in relation to Huawei Technologies Co. Ltd., TrickBot is potentially stealing confidential information and possibly even state secrets from vital U.S. government agencies.

The security researchers at Deep Instinct said they’re continuing their research and analysis into the new TrickBot attack and are in the process of reporting the details of the attack to relevant authorities.

Photo: U.S. Air Force