Researchers at Microsoft office have noticed a disturbing increase in TrickBot infections ever since the outset of the COVID-19 pandemic. Threat actors have implemented the use of phishing emails to lure unsuspecting people into clicking on malicious attachments.
Aside from TrickBot, Unit 42 and Microsoft have also noticed an increase in other information stealers, like Agent Tesla, that are using the COVID-19 theme as a front for malicious acts.
In 2016, when researchers first noticed the TrickBot, the malware served as just a banking Trojan. Since then, it has transformed into an information stealer, served as a backdoor, and has combined with other malware like Emotet, to deliver ransomware, including Ryuk.
The operating technique of TrickBot
Unit 42 researchers discovered the latest version of the TrickBot after they examined a Windows 7 device in their lab. The researchers explained that a Trickbot infection functions ordinarily by scanning a device; downloading the necessary modules needed to maintain persistence and carry out its malicious purpose.
Before the new upgrades, TrickBot found a device with Windows Active Directory and downloaded the mworm module to infect the domain controller. The malware aimed to exploit loopholes in the Windows Server Message Block protocol.
Security tools easily noticed the previous domain controller. To counter this flaw, TrickBot developers devised a means to launch the domain controller infection from memory; making it more difficult to spot. Aside from its incognito position, nworm also proffers a layer of encryption to help shield the malware from security tools.
“This method of infection works well for devices that don’t often restart, like servers, but they wouldn’t be as useful to attackers who are targeting other systems and have different objectives in mind,” Duncan says. “This method of infection leaves no artifacts on the system disc drive. As a tradeoff, TrickBot’s new nworm module infections do not appear to survive a reboot or shutdown; but that makes it harder to detect because clues are not left behind to analyze.”
Module upgrade
The prior module, “mworm” has been upgraded to a new version, “nworm”. Unit 42 researchers have noted that the newest upgrade to TrickBot alters one of the module malware uses to disseminate from an infected Microsoft Windows device to a domain controller.
Unit 42 researchers noted that the difference between the two modules lies majorly in their location. While the mworm ran on the hard disk drive, the nworm runs on the domain controller memory. The upgrade poses a challenge to security tool as any of the TrickBot clear out once the infected device’s rebooted.
Brady Duncan, a threat intelligence analyst for Unit 42, had this to say to Information Security Media Group; “running malware from RAM is one of many fileless malware techniques that have been reported before. TrickBot has been evolving in that direction for awhile, especially with the lack of module artifacts on Windows 10 hosts. We see this as just a gradual evolution.”
