Pesquisadores de segurança descobriram uma nova versão se o TrickBot infame Trojan bancário, que tem sido amplamente utilizado para realizar campanhas de infecção e esquemas elaborados. A nova iteração agora inclui um módulo semelhante a um worm que lembra o ransomware WannaCry.
TrickBot Banking Trojan Evolved: Nova versão se espalha pela Internet
Pesquisadores de malware revelaram uma nova iteração do Trojan bancário TrickBot, uma das ferramentas de hackers mais capazes e amplamente usadas para realizar golpes e golpes elaborados. Foi visto em um ataque ao vivo na semana passada. Uma das melhorias encontradas na versão mais recente é um novo módulo de infecção que usa um mecanismo inspirado no ransomware WannaCry. Semelhante ao malware que usa SMB (Bloco de mensagens do servidor) pacotes para se infiltrar nos sistemas de destino. Eles são usados pelo serviço de compartilhamento de arquivos e impressoras pela maioria dos sistemas operacionais para trocar informações.
The acquired versions follow a predefined behavior pattern as defined by the hackers by first infecting the systems using vulnerabilities as defined by the criminals. The new samples have been found to infiltrate via the new exploit and scan the local network for domains. Once the malware has infiltrated the network it can find other computers using the LDAP protocol (Lightweight Directory Access Protocol) used by the Active Directory service. According to the research the feature is not yet fully complete and its implementation is not optimized.
TrickBot is a sophisticated malware that is able to extract sensitive information from the infected hosts. This includes account credentials, stored form data from the browsers, história, behavior patterns and etc. The data is relayed to the hackers via a network connection and they can use it to perform identity theft and financial fraud.
The Ongoing TrickBot Banking Trojan Attack
Since July 17 this year there have been at least three large-scale spam campaigns that carry the Trickbot banking Trojan as the main payload. The hackers behind it use spam messages that include malicious WSF files. They are Windows Script Files that pose as being sent by a well-known Australian telecommunications company. The files are placed in archive messages and use different domains that are registered by the hackers.
All of the email use spoofed names and template messages. Some examples include the following: Hal (Hal@sabrilex.ru), Diann (Diann@revistahigh.com.br), Melba (Melba@eddiebauer4u.com) e outros. Such emails attempt to make the targets download a ZIP-infected file with the IMG (imagem) prefix followed by a randomly-generated number. Example archives include: IMG_4093.ZIP, IMG_4518.ZIP, IMG_0383.ZIP and others.
A previous attack used PDF attachments containing infected Office documents. The campaign in question used embedded .xlsm spreadsheets containing malicious macros. Once they are installed on the compromised system, a built-in script is activated that downloads the TrickBot banking Trojan from a remote location.
Further Details About The TrickBot Banking Trojan
The Trickbot banking Trojan includes two functions that are used by the network services:
- MachineFinder – This module lists all available servers on the compromised network. This is the first stage reconnaissance performed once the Trickbot banking Trojan has infiltrated the system.
- Netscan – It enumerates the local active directory by launching built-in commands.
The experts discovered that the current versions of the TrickBot banking Trojan use a python implementation to launch the commands. The found iteration is compatible with all modern versions of the Microsoft Windows operating system family:janelas 2007, janelas 7, janelas 2012 e Windows 8. One of the main goals of malware is to launch a PowerShell instance, once launched it downloads a secondary TrickBot sample onto an accessed network share under the name “setup.exe”. This effectively allows the TrickBot banking Trojan to spread across the network and copy itself in a WannaCry ransomware-like way.
TrickBot Banking Trojan Global Impact Continues to Rise
The TrickBot banking Trojan is one of the most widely used malware used to steal banking credentials. It has been used extensively by various criminal collectives ever since its first iterations rose to prominence last year in large-scale attacks. TrickBot is aimed both against individual users and financial institutions – it became famous for daily email messages containing malicious attachments or hyperlinks that lead to TrickBot instances. Most of the large attacks were aimed against banks located in the USA.
Ever since July this year a new spam campaign has been ongoing that uses the powerful Necurs botnet to deliver the malware samples to potential victims across the world. One of the most impacted countries are the UK, EUA, Nova Zelândia, Dinamarca, Canada and others, We remind our readers that this is one of the world’s largest botnets, at any given time there are about one million bots (infected hosts) that can be used to launch a massive attack.
Computer victims can scan their computers for active infections and protect their systems from incoming attacks by using a quality anti-malware solution.
digitalizador Spy Hunter só irá detectar a ameaça. Se você quiser a ameaça de ser removido automaticamente, você precisa comprar a versão completa da ferramenta anti-malware.Saiba Mais Sobre SpyHunter Anti-Malware Ferramenta / Como desinstalar o SpyHunter