Security News > 2021 > July > Trickbot Malware Returns with a new VNC Module to Spy on its Victims
Cybersecurity researchers have opened the lid on the continued resurgence of the insidious Trickbot malware, making it clear that the Russia-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent counter efforts from law enforcement.
"The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between servers and victims - making attacks difficult to spot," Bitdefender said in a technical write-up published Monday, suggesting an increase in sophistication of the group's tactics.
With control of these devices, malicious actors can also use botnets to spread malware and spam, or to deploy file-encrypting ransomware on the infected computers.
The notorious cybercrime gang behind the operation - dubbed Wizard Spider - has a track record of exploiting the infected machines to steal sensitive information, pivot laterally across a network, and even become a loader for other malware, such as ransomware, while constantly improving their infection chains by adding modules with new functionality to increase its effectiveness.
The new module is designed to communicate with one of the nine command-and-control servers defined in its configuration file, using it to retrieve a set of attack commands, download more malware payloads, and exfiltrate gathered from the machine back to the server.
While efforts to squash the gang's operations may not have been entirely successful, Microsoft told The Daily Beast that it worked with internet service providers to go door-to-door replacing routers compromised with the Trickbot malware in Brazil and Latin America, and that it effectively pulled the plug on Trickbot infrastructure in Afghanistan.