Security researchers uncovered a new version if the infamous TrickBot banking Trojan that has been used extensively to carry out infection campaigns and elaborate scams. The new iteration now includes a worm-like module that is reminiscent of the WannaCry ransomware.
TrickBot Banking Trojan Evolved: New Version Spreads Across the Internet
Malware researchers revealed a new iteration of the TrickBot banking Trojan, one of the most capable and widely used hacking tools to perform elaborate scams and virus attacks. It was spotted in a live attack last week. One of the improvements found in the latest release is a new infection module that uses a WannaCry ransomware inspired mechanism. Similar to the malware it uses SMB (Server Message Block) packets to infiltrate the target systems. They are used by the file and printer sharing service by most operating systems to exchange information.
The acquired versions follow a predefined behavior pattern as defined by the hackers by first infecting the systems using vulnerabilities as defined by the criminals. The new samples have been found to infiltrate via the new exploit and scan the local network for domains. Once the malware has infiltrated the network it can find other computers using the LDAP protocol (Lightweight Directory Access Protocol) used by the Active Directory service. According to the research the feature is not yet fully complete and its implementation is not optimized.
TrickBot is a sophisticated malware that is able to extract sensitive information from the infected hosts. This includes account credentials, stored form data from the browsers, history, behavior patterns and etc. The data is relayed to the hackers via a network connection and they can use it to perform identity theft and financial fraud.
The Ongoing TrickBot Banking Trojan Attack
Since July 17 this year there have been at least three large-scale spam campaigns that carry the Trickbot banking Trojan as the main payload. The hackers behind it use spam messages that include malicious WSF files. They are Windows Script Files that pose as being sent by a well-known Australian telecommunications company. The files are placed in archive messages and use different domains that are registered by the hackers.
All of the email use spoofed names and template messages. Some examples include the following: Hal (Hal@sabrilex.ru), Diann (Diann@revistahigh.com.br), Melba (Melba@eddiebauer4u.com) and others. Such emails attempt to make the targets download a ZIP-infected file with the IMG (image) prefix followed by a randomly-generated number. Example archives include: IMG_4093.ZIP, IMG_4518.ZIP, IMG_0383.ZIP and others.
A previous attack used PDF attachments containing infected Office documents. The campaign in question used embedded .xlsm spreadsheets containing malicious macros. Once they are installed on the compromised system, a built-in script is activated that downloads the TrickBot banking Trojan from a remote location.
Further Details About The TrickBot Banking Trojan
The Trickbot banking Trojan includes two functions that are used by the network services:
- MachineFinder – This module lists all available servers on the compromised network. This is the first stage reconnaissance performed once the Trickbot banking Trojan has infiltrated the system.
- Netscan – It enumerates the local active directory by launching built-in commands.
The experts discovered that the current versions of the TrickBot banking Trojan use a python implementation to launch the commands. The found iteration is compatible with all modern versions of the Microsoft Windows operating system family:Windows 2007, Windows 7, Windows 2012 and Windows 8. One of the main goals of malware is to launch a PowerShell instance, once launched it downloads a secondary TrickBot sample onto an accessed network share under the name “setup.exe”. This effectively allows the TrickBot banking Trojan to spread across the network and copy itself in a WannaCry ransomware-like way.
TrickBot Banking Trojan Global Impact Continues to Rise
The TrickBot banking Trojan is one of the most widely used malware used to steal banking credentials. It has been used extensively by various criminal collectives ever since its first iterations rose to prominence last year in large-scale attacks. TrickBot is aimed both against individual users and financial institutions – it became famous for daily email messages containing malicious attachments or hyperlinks that lead to TrickBot instances. Most of the large attacks were aimed against banks located in the USA.
Ever since July this year a new spam campaign has been ongoing that uses the powerful Necurs botnet to deliver the malware samples to potential victims across the world. One of the most impacted countries are the UK, USA, New Zealand, Denmark, Canada and others, We remind our readers that this is one of the world’s largest botnets, at any given time there are about one million bots (infected hosts) that can be used to launch a massive attack.
Computer victims can scan their computers for active infections and protect their systems from incoming attacks by using a quality anti-malware solution.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: