Security reserachers have discovered that the Trickbot malware has been updated with you capabilities to evade detection and lock victim's computers.
The malware, first discovered in 2016, targets customers of major banks. According to a blog post by researchers at Webroot, the updated Trickbot has "continually undergone updates and changes in attempts to stay one step ahead of defenders”.
The new module named spreader_x86.dll, exports four functions like the other TrickBot modules.
“The file has an abnormally large rdata section which proves to be quite interesting because it contains two additional files intended to be used by spreader_x86.dll. The spreader module contains an additional executable SsExecutor_x86.exe and an additional module screenLocker_x86.dll,” said researchers.
According to Jason Davison, Webroot's advanced threat research analyst, the module screenLocker_x86.dll attempts to lock a user's machine.
“Similarly, to the other TrickBot modules, this module was written in Delphi. This is the first time TrickBot has shown any attempt at “locking” the victims machine,” he said.
He added that if the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group's business model.
“Locking a victim's computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft. However, extorting victims to unlock their computer is a much simpler monetisation scheme,” he said.
He said it was notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks.
“In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them. On a corporate network, where users are unlikely to be regularly visiting targeted banking URLs, exfiltrating banking credentials is a less successful money-making model compared to the locking of potentially hundreds of machines,” he said.
Davison warned that the TrickBot banking trojan remains under continual development and testing in a constant effort by its developers to stay one step ahead.
Andy Norton, director of threat intelligence at Lastline, told SC Media UK that it's not just financial institutions that are targeted, it is the customers of financial institutions and the finance function that are always targeted. “The reason is again, that the bad guys are closer to the money. The side effect of having multiple payloads in order to maximise the chance of making money, is that, from a behavioural analysis alerting perspective these threats light up like a Christmas tree. Adding Dynamic or behavioural analysis to an organisations defence in depth strategy, will protect organisations from this type of threat,” he said.
Matt Walmsley, EMEA director at Vectra, told SC Media UK that Trickbot's use of a network worm means it is spreading like wildfire across vulnerable systems.