Trickbot gang uses fileless backdoor on high-value targets

News by Rene Millman

A Russian cyber-crime gang has developed a new hacking tool called PowerTrick in a bid to move around target networks undetected

A Russian cyber-crime gang has developed a new hacking tool called PowerTrick in a bid to move around target networks undetected, said blog post by SentinelLabs head Vitali Kremez. 

PowerTrick is a fileless framework created by the TrickBot gang to carry out  reconnaissance inside infected high-value targets such as financial institutions.

"Many of their offensive tools remain undetected for the most part as they are used for a short period of time for targeted post-exploitation purposes such as lateral movement," Kremez wrote.

Offensive tooling such as "PowerTrick" is flexible and effective, which allows the TrickBot cyber-crime actors to augment on the fly and stay stealthy, making it an attractive option than using larger open source systems such as PowerShell Empire.

"The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks," he wrote.

A SentinelLabs report breaks down the bot’s activity into the following list: It performs an initial check-in; It resets the throttle time or exits depending on response; it can sit in a loop, requesting the next commands to be executed or execute received command and send back the results or the error message.

After the initial stage for the "PowerTrick backdoor" is kicked off, then the actor issues the first command: download a larger backdoor. PowerTrick is designed to execute commands and return the results in Base64 format, the system uses a generated UUID based on computer information as a "botID." The Victim data is then posted back to the controller.

Once the system and network have been profiled, the actors perform deletion operation and cleanup. 

"They remove any existing files that did not execute properly and move on to a different target of choice or perform lateral movement inside the environment to high-value systems such as financial gateways. The executed tasks included a wide range of utilities such as previously shown Metasploit," said Kremez.

In response to the discovery, SentinelLabs has developed mock command-and-control panels to allow organisations to test for activity related to PowerTrick.

Richard Meeus, technology and strategy director at Akamai Technologies, told SC Media UK that the attack needs to download an initial payload (the larger backdoor) to run the exploits. If the organisation is using an intelligent recursive DNS platform, then this should be detected and blocked. It should also alert the infected machine.

"Preventing lateral, or east-west, movement can be addressed using an Identity Aware Proxy that provides access to applications rather than machines. This massively reduces the visibility and accessibility of compromised machines in the network," he said.

Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that many organised criminals and nation states put considerable effort into developing their malware. Much of it is custom developed, maintained for longer periods of time, and extra functionalities are added frequently as is the case with Trickbot, he said.

"The best thing organisations can do to defend against such malware is to protect against them getting into the company in the first place. This is typically through patching public-facing systems, training users to identify and dodge spearphishing attacks, and using MFA and strong passwords. When a compromise does occur, organisations should have threat detection controls in place that can identify and alert on suspicious activity," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews