Cyber security news for all

More

    TrickBot Update Makes Malware harder to detect

    Researchers at Microsoft office have noticed a disturbing increase in TrickBot infections ever since the outset of the COVID-19 pandemic. Threat actors have implemented the use of phishing emails to lure unsuspecting people into clicking on malicious attachments.

    Aside from TrickBot, Unit 42 and Microsoft have also noticed an increase in other information stealers, like Agent Tesla, that are using the COVID-19 theme as a front for malicious acts.

    In 2016, when researchers first noticed the TrickBot, the malware served as just a banking Trojan. Since then, it has transformed into an information stealer, served as a backdoor, and has combined with other malware like Emotet, to deliver ransomware, including Ryuk.

    The operating technique of TrickBot

    Unit 42 researchers discovered the latest version of the TrickBot after they examined a Windows 7 device in their lab. The researchers explained that a Trickbot infection functions ordinarily by scanning a device; downloading the necessary modules needed to maintain persistence and carry out its malicious purpose.

    Before the new upgrades, TrickBot found a device with Windows Active Directory and downloaded the mworm module to infect the domain controller. The malware aimed to exploit loopholes in the Windows Server Message Block protocol.

    Security tools easily noticed the previous domain controller. To counter this flaw, TrickBot developers devised a means to launch the domain controller infection from memory; making it more difficult to spot. Aside from its incognito position, nworm also proffers a layer of encryption to help shield the malware from security tools.

    “This method of infection works well for devices that don’t often restart, like servers, but they wouldn’t be as useful to attackers who are targeting other systems and have different objectives in mind,” Duncan says. “This method of infection leaves no artifacts on the system disc drive. As a tradeoff, TrickBot’s new nworm module infections do not appear to survive a reboot or shutdown; but that makes it harder to detect because clues are not left behind to analyze.”

     Module upgrade

    The prior module, “mworm” has been upgraded to a new version, “nworm”. Unit 42 researchers have noted that the newest upgrade to TrickBot alters one of the module malware uses to disseminate from an infected Microsoft Windows device to a domain controller.

    Unit 42 researchers noted that the difference between the two modules lies majorly in their location. While the mworm ran on the hard disk drive, the nworm runs on the domain controller memory. The upgrade poses a challenge to security tool as any of the TrickBot clear out once the infected device’s rebooted.

    Brady Duncan, a threat intelligence analyst for Unit 42, had this to say to Information Security Media Group; “running malware from RAM is one of many fileless malware techniques that have been reported before. TrickBot has been evolving in that direction for awhile, especially with the lack of module artifacts on Windows 10 hosts. We see this as just a gradual evolution.”

     

     

    Recent Articles

    Personnel were asked to removed 89 apps which includes Instagram, Facebook, and others by the Indian Army

    Personnel are told by the Indian Army to delete 89 apps from their phones from July 15. This is in a bid to avoid...

    The warning sent to employees about Tiktok app was a mistake says Amazon

    On Friday morning, Amazon sent out a memo to its employees, asking them to uninstall the popular social media app TikTok off their phone....

    Other Android phones sold in the US contains pre-installed malware

    There’s a discovery of Pre-installed malware on another phone by researchers from Malwarebytes; through the lifeline Assistance program for sale in the United States....

    About 15 billion stolen passwords and usernames sold on the dark web.

    A recent finding has shown that about 15 billion passwords and usernames are distributed on the dark web. This compromise will bring about credential...

    Hundreds of multinational companies aimed by Russian BEC Gang

    According to the security firm Agari, there has been a discovery of a newly uncovered Russia-based business email compromise gang; BEC gang that scams...

    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox