Upgraded with a more sophisticated formula of expansion, Trickbot is now successful in making detection even more troublesome.
As explained by researchers at Palo Alto Networks, the latest update to Trickbot facilitates an enhanced method of escaping detection and, surprisingly, has been active and in operation since April 2020.
Flexible in nature, Trickbot permits authors to add or remove capabilities easily, and this is the primary reason that has facilitated the latest change.
Additionally, a module termed Mworm happens to be the core reason for the spread of this malware since September 2019. Researchers also have found out that the old module has been replaced by Nworm. Researchers identified this change when it surfaced on an infected Windows 7 client. It is also essential to be informed that Nworm significantly alters Trickbot’s HTTP traffic.
How does Trickbot operate?
The game plan behind Trickbot attacks a domain controller, post which the malware is run from memory confirming there are no traces on the infected machine making the bot trickier to detect. To add to the intensity, the binary deployed by the brand new Nworm module gets encrypted once it is transferred via the internet. This particular aspect of the malware helps hide its actions.
Incepted as a banking trojan, Trickbot came into action in 2016, and since then, it has repeatedly been adapted for various actions. In the past, this trojan has been used as a proficient information thief, which offers backdoor access to infected machines. It supports threat actors to utilize the platform as a gateway to deliver malware into already infected and compromised networks.
On a broader note, Trickbot can function as a botnet and can quickly spread itself to additional victims, with the help of phishing email campaigns to spread malicious attachments that execute Trickbot when a Windows machine is accessed.
It does not stop here. Once the trojan is executed on a machine, it can exploit the EternalBlue vulnerability to travel laterally around a network.