Trickbot malware has been updated with a new method of propagation which makes it even harder to detect.
Starting life as a banking trojan, Trickbot first emerged in 2016 but in the years since it has been repeatedly re-purposed for other means including being used as a fully-fledged information stealer, as well as providing backdoor access to infected machines, enabling cyber criminal groups to use it as gateway for delivering other malware onto already compromised networks.
Trickbot can also operate as a botnet to help spread itself to additional victims, commonly using phishing email spam campaigns to distribute malicious attachments which execute it on a Windows machine if opened. Once executed on a machine, Trickbot can also exploit the EternalBlue vulnerability to move laterally around a network.
Now researchers at Palo Alto Networks have detailed the latest update to Trickbot, one which provides it with a better method of evading detection, which has been in operation since April.
Trickbot is modular, allowing its authors to easily add or remove capabilities and it’s this which has enabled the latest change to easily be made.
A module called Mworm has been responsible for helping to spread Trickbot since September last year, but now it’s been replaced with a new module – Nworm. Researchers noticed it when it appeared on an infected Windows 7 client and note that it greatly alters Trickbot’s HTTP traffic.
Now when Trickbot infects a domain controller, the malware is run from memory ensuring that no artefacts are left behind on an infected machine, making detection harder.
In addition to this, the binary used by Nworm is encrypted when transferred over the internet, which also helps to hide the actions of the malware.
“This is the latest in a series of changes in TrickBot as it evolves within our current threat landscape,” said Brad Duncan, threat intelligence analyst at Palo Alto Networks’ Unit 42 research division.
In March, the authors of Trickbot added capabilities which appear to be designed to help conduct cyber espionage against specific targets – including telecommunications providers, universities and financial services.
But despite the potent nature of Trickbot, organisations can go a long way to protecting themselves from it.
“Best security practices like running fully-patched and up-to-date versions of Microsoft Windows will hinder or prevent Trickbot infections,” said Duncan.
EternalBlue, the Windows vulnerability which powered WannaCry ransomware, forms a key part of how Trickbot spreads itself, but despite a patch being released over three years ago, cyber criminals continue to exploit it because there are organisations which still haven’t applied it to their networks.
By applying security updates as and when they arrive, organisations can stop themselves falling victim to Trickbot and other malicious hacking campaigns which exploit known vulnerabilities which are sometimes years old.