New Trickbot malware update makes detection even more difficult

New Trickbot malware update makes detection even more difficult Cybersecurity

Trickbot malware has been updated with a new propagation method which makes it even more difficult to detect.

Beginning its life as a banking Trojan, Trickbot first appeared in 2016, but in the years that followed, it was repeatedly reused for other means, including to be used as a thief. information in its own right, as well as providing backdoor access to infected machines, allowing cybercrime groups to use it as a gateway to deliver other malware over already compromised networks.

Trickbot can also function as a botnet to help spread to other victims, commonly using spam email phishing campaigns to distribute malicious attachments that run it on a Windows machine if it is open. When executed on a machine, Trickbot can also exploit the EternalBlue vulnerability to move laterally on a network.

Researchers at Palo Alto Networks presented in detail the latest update to Trickbot, which has been running since April and offers a better method of evading detection.

Modular malware

Trickbot is modular, which allows its authors to easily add or remove functionality and this is what made it easy to make the latest changes. A module called Mworm has been responsible for contributing to the dissemination of Trickbot since September of last year, but it has been replaced by a new module – Nworm. Researchers noticed it when it appeared on an infected Windows 7 client and note that it greatly alters Trickbot’s HTTP traffic.

Now, when Trickbot infects a domain controller, malware is executed from memory, which ensures that no artifacts are left on an infected machine, which makes detection more difficult. In addition, the binary used by Nworm is encrypted when it is transferred over the Internet, which also makes it possible to hide the actions of the malware.

“This is the latest in a series of changes to TrickBot, which is evolving as part of our current threat landscape,” said Brad Duncan, threats intelligence analyst at Unit 42 Research Division from Palo Alto Networks.

In March, the Trickbot writers added capabilities that appear to be designed to help conduct cyber espionage against specific targets – including telecommunications providers, universities and financial services.

EternalBlue, a key element in its spread

But despite the powerful nature of Trickbot, organizations can do a lot to protect themselves from it. “Best security practices, such as using fully patched and updated versions of Microsoft Windows, will help prevent infection by Trickbot,” said Duncan.

EternalBlue, the Windows vulnerability that powered WannaCry ransomware, is a key part of the spread of Trickbot, but despite the release of a patch more than three years ago, cybercriminals continue to exploit it because some organizations fail to use it. still haven’t applied to their networks.

By applying security updates as they arrive, organizations can avoid falling victim to Trickbot and other malicious hacking campaigns that exploit known vulnerabilities, which may be years old.


Rate article
Add comment