Trickbot banking malware has new trick up its sleeve

News by Rene Millman

Security reserachers have discovered that the Trickbot malware has been updated with you capabilities to evade detection and lock victim's computers.

Also in:

Security reserachers have discovered that the Trickbot malware has been updated with you capabilities to evade detection and lock victim's computers.

The malware, first discovered in 2016, targets customers of major banks. According to a blog post by researchers at Webroot, the updated Trickbot has "continually undergone updates and changes in attempts to stay one step ahead of defenders”.

Researchers said that they observed a module (tabDll32 / tabDll64) being downloaded by TrickBot that has not been seen in the wild before this time. The malware is still, however, uses the MS17-010 Eternalblue vulnerability. 

The new module named spreader_x86.dll, exports four functions like the other TrickBot modules. 

“The file has an abnormally large rdata section which proves to be quite interesting because it contains two additional files intended to be used by spreader_x86.dll. The spreader module contains an additional executable SsExecutor_x86.exe and an additional module screenLocker_x86.dll,” said researchers.

According to Jason Davison, Webroot's advanced threat research analyst, the module screenLocker_x86.dll attempts to lock a user's machine.

“Similarly, to the other TrickBot modules, this module was written in Delphi. This is the first time TrickBot has shown any attempt at “locking” the victims machine,” he said.

He added that if the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group's business model. 

“Locking a victim's computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft. However, extorting victims to unlock their computer is a much simpler monetisation scheme,” he said.

He said it was notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks.

“In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them. On a corporate network, where users are unlikely to be regularly visiting targeted banking URLs, exfiltrating banking credentials is a less successful money-making model compared to the locking of potentially hundreds of machines,” he said.

Daivson said that the TrickBot authors continue to target various financial institutions across the world, using MS17-010 exploits in an attempt to successfully laterally move throughout a victim's network. “This is being coupled with an unfinished "screenLocker" module in a new possible attempt to extort money from victims."

Davison warned that the TrickBot banking trojan remains under continual development and testing in a constant effort by its developers to stay one step ahead.

Andy Norton, director of threat intelligence at Lastline, told SC Media UK that it's not just financial institutions that are targeted, it is the customers of financial institutions and the finance function that are always targeted. “The reason is again, that the  bad guys are closer to the money. The side effect of having multiple payloads in order to maximise the chance of making money, is that, from a behavioural analysis alerting perspective these threats light up like a Christmas tree. Adding Dynamic or behavioural analysis to an organisations defence in depth strategy, will protect organisations from this type of threat,” he said.

Matt Walmsley, EMEA director at Vectra, told SC Media UK that Trickbot's use of a network worm means it is spreading like wildfire across vulnerable systems. 

“Whilst there are technical workarounds one can take around the configuration of SMB v1 to try and mitigate against Trickbot, most enterprises remain blind in terms of spotting active attacks inside their network as they move laterally. And of course, the time old adage of patch, patch, patch still rings true. Even in financial services who typically have a high level of security maturity, detection and isolation is key, but to do so in a time-critical manner is beyond the ability of manual threat hunting. If you want to get ahead of the attack it is imperative to spot the early indicators, and that's a job best done using automated threat hunting techniques powered by AI,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events