Security News > 2020 > March > TrickBot Now Exploits Infected PCs to Launch RDP Brute Force Attacks
A new module for TrickBot banking Trojan has recently been discovered in the wild that lets attackers leverage compromised systems to launch brute-force attacks against selected Windows systems running a Remote Desktop Protocol connection exposed to the Internet.
"From add-ons for stealing OpenSSH and OpenVPN sensitive data, to modules that perform SIM-swapping attacks to take control of a user's telephone number, and even disabling Windows built-in security mechanisms before downloading its main modules, TrickBot is a jack-of-all-trades."
How Does TrickBot RDP Brute-Force Module Work? When TrickBot begins its execution, it creates a folder containing the encrypted malicious payloads and their associated configuration files, which includes a list of command-and-control servers with whom the plugin needs to communicate to retrieve the commands to be executed.
Here, "C&C" refers to the C2 server, "Tag," the group tag used by the TrickBot sample, "ComputerID," the computer ID used by the malware, and "ControlEndpoint," a list of attack modes and the list of IP address-port number combinations to be targeted via an RDP brute-force attack.
"The new rdpScanDll module may be the latest in a long line of modules that have been used by the TrickBot Trojan, but it's one that stands out because of its use of a highly specific list of IP addresses," the researchers concluded.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/1qXOqDBT0VU/trickbot-malware-rdp-bruteforce.html
Related news
- Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- Supply Chain Attacks Can Exploit Entry Points in Python, npm, and Open-Source Ecosystems (source)
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Emergency patch: Cisco fixes bug under exploit in brute-force attacks (source)
- CERT-UA Identifies Malicious RDP Files in Latest Attack on Ukrainian Entities (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks (source)