Security News > 2020 > January > TrickBot Operators Create New Backdoor for Important Targets
The cybercriminals behind the TrickBot malware, who are believed to be based in Russia, have been using a new PowerShell backdoor in recent attacks aimed at high-value targets, SentinelLabs revealed on Thursday.
Called PowerTrick, the recently discovered backdoor is being deployed, at least in some cases, as a PowerShell task through normal TrickBot infections.
The new offensive tool, SentinelLabs security researchers say, is being used for profiling and pivoting, and is being leveraged in conjunction with various other frameworks and offensive tools, either paid or freely available for download. In attacks involving the PowerTrick backdoor, the cybercriminals also commonly utilize other PowerShell utilities for a variety of tasks, such as the 'letmein.
SentinelLabs' researchers were able to link the PowerTrick backdoor to malware such as TrickBot Anchor DNS and TerraLoader with the "More eggs" backdoor onboard, but also observed the malware being used for direct shellcode execution.
"The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks," SentinelLabs said.