Casa > cibernético Notícias > TrickBot Banking Trojan Updated: WannaCry-Inspirado Módulo Agora Ativo
CYBER NEWS

TrickBot Banking Trojan Atualizado: WannaCry-Inspirado Módulo Agora Ativo

imagem trojans bancários Trickbot

Pesquisadores de segurança descobriram uma nova versão se o TrickBot infame Trojan bancário, que tem sido amplamente utilizado para realizar campanhas de infecção e esquemas elaborados. A nova iteração agora inclui um módulo semelhante a um worm que lembra o ransomware WannaCry.

Story relacionado: TrickBot Banking Trojan está aqui para substituir Dyre

TrickBot Banking Trojan Evolved: Nova versão se espalha pela Internet

Pesquisadores de malware revelaram uma nova iteração do Trojan bancário TrickBot, uma das ferramentas de hackers mais capazes e amplamente usadas para realizar golpes e golpes elaborados. Foi visto em um ataque ao vivo na semana passada. Uma das melhorias encontradas na versão mais recente é um novo módulo de infecção que usa um mecanismo inspirado no ransomware WannaCry. Semelhante ao malware que usa SMB (Bloco de mensagens do servidor) pacotes para se infiltrar nos sistemas de destino. Eles são usados ​​pelo serviço de compartilhamento de arquivos e impressoras pela maioria dos sistemas operacionais para trocar informações.

The acquired versions follow a predefined behavior pattern as defined by the hackers by first infecting the systems using vulnerabilities as defined by the criminals. The new samples have been found to infiltrate via the new exploit and scan the local network for domains. Once the malware has infiltrated the network it can find other computers using the LDAP protocol (Lightweight Directory Access Protocol) used by the Active Directory service. According to the research the feature is not yet fully complete and its implementation is not optimized.

TrickBot is a sophisticated malware that is able to extract sensitive information from the infected hosts. This includes account credentials, stored form data from the browsers, história, behavior patterns and etc. The data is relayed to the hackers via a network connection and they can use it to perform identity theft and financial fraud.

The Ongoing TrickBot Banking Trojan Attack

Since July 17 this year there have been at least three large-scale spam campaigns that carry the Trickbot banking Trojan as the main payload. The hackers behind it use spam messages that include malicious WSF files. They are Windows Script Files that pose as being sent by a well-known Australian telecommunications company. The files are placed in archive messages and use different domains that are registered by the hackers.

All of the email use spoofed names and template messages. Some examples include the following: Hal (Hal@sabrilex.ru), Diann (Diann@revistahigh.com.br), Melba (Melba@eddiebauer4u.com) e outros. Such emails attempt to make the targets download a ZIP-infected file with the IMG (imagem) prefix followed by a randomly-generated number. Example archives include: IMG_4093.ZIP, IMG_4518.ZIP, IMG_0383.ZIP and others.

A previous attack used PDF attachments containing infected Office documents. The campaign in question used embedded .xlsm spreadsheets containing malicious macros. Once they are installed on the compromised system, a built-in script is activated that downloads the TrickBot banking Trojan from a remote location.

Further Details About The TrickBot Banking Trojan

The Trickbot banking Trojan includes two functions that are used by the network services:

  1. MachineFinder – This module lists all available servers on the compromised network. This is the first stage reconnaissance performed once the Trickbot banking Trojan has infiltrated the system.
  2. Netscan – It enumerates the local active directory by launching built-in commands.

The experts discovered that the current versions of the TrickBot banking Trojan use a python implementation to launch the commands. The found iteration is compatible with all modern versions of the Microsoft Windows operating system family:janelas 2007, janelas 7, janelas 2012 e Windows 8. One of the main goals of malware is to launch a PowerShell instance, once launched it downloads a secondary TrickBot sample onto an accessed network share under the name “setup.exe”. This effectively allows the TrickBot banking Trojan to spread across the network and copy itself in a WannaCry ransomware-like way.

Story relacionado: Dreambot Banking Trojan Malware - Detectar e removê-lo

TrickBot Banking Trojan Global Impact Continues to Rise

The TrickBot banking Trojan is one of the most widely used malware used to steal banking credentials. It has been used extensively by various criminal collectives ever since its first iterations rose to prominence last year in large-scale attacks. TrickBot is aimed both against individual users and financial institutions – it became famous for daily email messages containing malicious attachments or hyperlinks that lead to TrickBot instances. Most of the large attacks were aimed against banks located in the USA.

Ever since July this year a new spam campaign has been ongoing that uses the powerful Necurs botnet to deliver the malware samples to potential victims across the world. One of the most impacted countries are the UK, EUA, Nova Zelândia, Dinamarca, Canada and others, We remind our readers that this is one of the world’s largest botnets, at any given time there are about one million bots (infected hosts) that can be used to launch a massive attack.

Computer victims can scan their computers for active infections and protect their systems from incoming attacks by using a quality anti-malware solution.

Baixar

Remoção de Malware Ferramenta


digitalizador Spy Hunter só irá detectar a ameaça. Se você quiser a ameaça de ser removido automaticamente, você precisa comprar a versão completa da ferramenta anti-malware.Saiba Mais Sobre SpyHunter Anti-Malware Ferramenta / Como desinstalar o SpyHunter

Avatar

Martin Beltov

Martin formou-se na publicação da Universidade de Sofia. Como a segurança cibernética entusiasta ele gosta de escrever sobre as ameaças mais recentes e mecanismos de invasão.

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...