TrickBot Continues Resurgence with Port-Scanning Module

The TrickBot trojan is continuing its bounce-back from an autumn takedown, recently adding a network-scanning module that uses the Masscan open-source tool to look for open ports.

Masscan is a mass TCP/IP port scanner, which can scan the entire internet in under five minutes according to its authors, transmitting 10 million packets per second of data from a single machine. The TrickBot module that uses it, dubbed “masrv,” is likely used for network reconnaissance, according to researchers at Kryptos Logic.

The module arrives as either a 32-bit or 64-bit DLL library, depending on the Windows OS version of the victim machine the bot is running on. Once installed, it makes requests to the command-and-control server (C2) for a list of IP address ranges to scan, followed by port range, that it can pass as parameters to Masscan. The C2 also communicates the frequency for sending results and the transmission rate.

“At first, the module makes GET requests for information from the commands ‘freq,’ ‘domains’ and ‘rate,’” Kryptos Logic researchers explained in a Monday blog posting. “If successful, the module executes Masscan’s main function routine, which is compiled within the DLL.”

The Masscan tool has its own network stack, and it requires a low-level packet filter in order to render results, according to the analysis. The TrickBot module looks for NPcapPacket.dll on Windows machines; and if it’s not present, it makes a request to download the NPcap executable from the C2 which is then silently installed. The Masscan tool also attempts to initialize the network adapter.

If the module discovers any open ports, it sends the results at the frequency, in seconds, determined by the freq value queried at the beginning.

“Results are aggregated by calling a module-specific function from the Masscan function output_report_status which adds discovered ports to a global string,” researchers explained. “These results are posted back (via the 81 message) regularly.”

Anchor/Bazar Tie-Ins

The new module also interestingly contains a C2 communication function for connecting to the Anchor attack framework, and a list of hardcoded IPs which have previously been associated with both Anchor and Bazar 12.

The Anchor malware framework, which dates back to at least 2018, appears to be programmed by TrickBot’s operators, researchers have noted. It’s “an all-in-one attack framework,” made up of various submodules that can help attackers spread laterally on a network (such as the ability to install backdoors). Other cybergangs appear to make use of Anchor as well – last year a TrickBot partnership with the FIN6 financial cybergroup was uncovered; and the North Korea-linked Lazarus Group has also been seen using it.

Bazar meanwhile is a group of malware likely developed by the TrickBot operators that has also been seen being used by a variety of threat actors, such as the Ryuk ransomware gang. It’s a first-stage loader malware that has many variants, including malware families Kegtap, Singlemalt and Winekey.

In June, TrickBot added a Bazar-based module called BazarBackdoor, which is capable of providing full access to an attacker and can be used as a point of entry for any number of attacks.

“In any advanced attack, be it ransomware, industrial espionage or corporate data exfiltration, having this kind of access is essential,” researchers at Panda Security said at the time. “If a cybercriminal manages to install BazarBackdoor on a company’s IT system, it could pose a serious danger, and, given the volume of emails being sent out with this backdoor, this is a widespread threat.”

As for the links between “masrv” and the other two weapons, “It is not uncommon for this actor to be seen sharing code between its toolsets,” Kryptos Logic researchers said. “This new module is an indication of the actor’s continued investment in improving their network reconnaissance toolkit, even after recent disruption efforts.”

TrickBot Bounces Back After Disruption

TrickBot is a malware strain that has been around since 2016, starting life as a banking trojan. Over time, it has gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps. The malware has also evolved to add more modules and act as a delivery vehicle for other malware.

Users infected with the TrickBot trojan will see their device become part of a botnet that attackers use to load next-stage malware – researchers called it an “ideal dropper for almost any additional malware payload.” For instance, in one campaign the Emotet trojan loaded TrickBot as a means to deploy Ryuk ransomware.

In October though, TrickBot was dealt a serious blow thanks to a coordinated action led by Microsoft that disrupted the botnet that spreads it. A District Court granted a request for a court order to halt TrickBot’s operations, which Microsoft carried out in concert with other firms, including ESET, Lumen’s Black Lotus Labs, NTT Ltd., Symantec and others.

However, researchers warned at the time that TrickBot’s operators would quickly try to revive their operations – a prediction which quickly came true. According to AdvIntel and Eclypsium, active TrickBot infections only swelled in the two months after the takedown, peaking at up to 40,000 new victims in a single day.

And, in early December, it was seen implementing functionality designed to inspect the UEFI/BIOS firmware of targeted systems – the so-called TrickBoot module.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!