Security News
A recently discovered TrickBot variant targeting telecommunications organizations in the United States and Hong Kong includes a module for remote desktop protocol brute-forcing, Bitdefender reports. Now, its operators apparently added a new rdpScanDll module to the threat, to brute-force RDP for a specific list of victims.
The TrickBot malware has added a new feature: A module called rdpScanDll, built for brute-forcing remote desktop protocol accounts. TrickBot is a malware strain that has been around since 2016, starting life as a banking trojan.
A new module for TrickBot banking Trojan has recently been discovered in the wild that lets attackers leverage compromised systems to launch brute-force attacks against selected Windows systems running a Remote Desktop Protocol connection exposed to the Internet. "From add-ons for stealing OpenSSH and OpenVPN sensitive data, to modules that perform SIM-swapping attacks to take control of a user's telephone number, and even disabling Windows built-in security mechanisms before downloading its main modules, TrickBot is a jack-of-all-trades."
A new module for TrickBot banking Trojan has recently been discovered in the wild that lets attackers leverage compromised systems to launch brute-force attacks against selected Windows systems running a Remote Desktop Protocol connection exposed to the Internet. "From add-ons for stealing OpenSSH and OpenVPN sensitive data, to modules that perform SIM-swapping attacks to take control of a user's telephone number, and even disabling Windows built-in security mechanisms before downloading its main modules, TrickBot is a jack-of-all-trades."
Researchers uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components. "In this post, we detailed how this TrickBot fresh variant works in a victim's machine, what technologies it uses to perform anti-analysis, as well as how the payload of TrickBot communicates with its C&C server to download the modules," said Xiaopeng Zhang with Fortinet's FortiGuard Labs threat team in a Monday analysis.
The TrickBot banking trojan has gotten trickier, with the addition of a Windows 10 ActiveX control to execute malicious macros in boobytrapped documents. This creates and executes the OSTAP JavaScript downloader, which acts as a dropper for the TrickBot payload, without user interaction after they click the "Enable macros" button.
The TrickBot trojan has evolved again to bolster its ability to elude detection, this time adding a feature that can bypass Windows 10 User Account Control to deliver malware across multiple workstations and endpoints on a network, researchers have discovered. Researchers at Morphisec Labs team said they discovered code last March that uses the Windows 10 WSReset UAC Bypass to circumvent user account control and deliver malware in recent samples of TrickBot, according to a report released last week.
The operators behind the notorious Emotet malware have taken aim at United Nations personnel in a targeted attack ultimately bent on delivering the TrickBot trojan. Emotet started life as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism.
The cybercriminals behind the TrickBot malware, who are believed to be based in Russia, have been using a new PowerShell backdoor in recent attacks aimed at high-value targets, SentinelLabs revealed on Thursday. Called PowerTrick, the recently discovered backdoor is being deployed, at least in some cases, as a PowerShell task through normal TrickBot infections.
The Russian-speaking cybercriminals behind the TrickBot malware have developed a stealthy backdoor dubbed "PowerTrick," in order to infiltrate high-value targets. The malware operators send the first command, which is to download the main PowerTrick backdoor.