Security News > 2020 > March > TrickBot Now Exploits Infected PCs to Launch RDP Brute Force Attacks

A new module for TrickBot banking Trojan has recently been discovered in the wild that lets attackers leverage compromised systems to launch brute-force attacks against selected Windows systems running a Remote Desktop Protocol connection exposed to the Internet.

"From add-ons for stealing OpenSSH and OpenVPN sensitive data, to modules that perform SIM-swapping attacks to take control of a user's telephone number, and even disabling Windows built-in security mechanisms before downloading its main modules, TrickBot is a jack-of-all-trades."

How Does TrickBot RDP Brute-Force Module Work? When TrickBot begins its execution, it creates a folder containing the encrypted malicious payloads and their associated configuration files, which includes a list of command-and-control servers with whom the plugin needs to communicate to retrieve the commands to be executed.

Here, "C&C" refers to the C2 server, "Tag," the group tag used by the TrickBot sample, "ComputerID," the computer ID used by the malware, and "ControlEndpoint," a list of attack modes and the list of IP address-port number combinations to be targeted via an RDP brute-force attack.

"The new rdpScanDll module may be the latest in a long line of modules that have been used by the TrickBot Trojan, but it's one that stands out because of its use of a highly specific list of IP addresses," the researchers concluded.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/1qXOqDBT0VU/trickbot-malware-rdp-bruteforce.html