Cyber security news for all

More

    TrickBot Update Makes Malware harder to detect

    Researchers at Microsoft office have noticed a disturbing increase in TrickBot infections ever since the outset of the COVID-19 pandemic. Threat actors have implemented the use of phishing emails to lure unsuspecting people into clicking on malicious attachments.

    Aside from TrickBot, Unit 42 and Microsoft have also noticed an increase in other information stealers, like Agent Tesla, that are using the COVID-19 theme as a front for malicious acts.

    In 2016, when researchers first noticed the TrickBot, the malware served as just a banking Trojan. Since then, it has transformed into an information stealer, served as a backdoor, and has combined with other malware like Emotet, to deliver ransomware, including Ryuk.

    The operating technique of TrickBot

    Unit 42 researchers discovered the latest version of the TrickBot after they examined a Windows 7 device in their lab. The researchers explained that a Trickbot infection functions ordinarily by scanning a device; downloading the necessary modules needed to maintain persistence and carry out its malicious purpose.

    Before the new upgrades, TrickBot found a device with Windows Active Directory and downloaded the mworm module to infect the domain controller. The malware aimed to exploit loopholes in the Windows Server Message Block protocol.

    Security tools easily noticed the previous domain controller. To counter this flaw, TrickBot developers devised a means to launch the domain controller infection from memory; making it more difficult to spot. Aside from its incognito position, nworm also proffers a layer of encryption to help shield the malware from security tools.

    “This method of infection works well for devices that don’t often restart, like servers, but they wouldn’t be as useful to attackers who are targeting other systems and have different objectives in mind,” Duncan says. “This method of infection leaves no artifacts on the system disc drive. As a tradeoff, TrickBot’s new nworm module infections do not appear to survive a reboot or shutdown; but that makes it harder to detect because clues are not left behind to analyze.”

     Module upgrade

    The prior module, “mworm” has been upgraded to a new version, “nworm”. Unit 42 researchers have noted that the newest upgrade to TrickBot alters one of the module malware uses to disseminate from an infected Microsoft Windows device to a domain controller.

    Unit 42 researchers noted that the difference between the two modules lies majorly in their location. While the mworm ran on the hard disk drive, the nworm runs on the domain controller memory. The upgrade poses a challenge to security tool as any of the TrickBot clear out once the infected device’s rebooted.

    Brady Duncan, a threat intelligence analyst for Unit 42, had this to say to Information Security Media Group; “running malware from RAM is one of many fileless malware techniques that have been reported before. TrickBot has been evolving in that direction for awhile, especially with the lack of module artifacts on Windows 10 hosts. We see this as just a gradual evolution.”

     

     

    Recent Articles

    Millions of RDP attacks on home offices

    Since the corona related move to the home office, the number of daily hacker attacks on remote desktop connections has increased more than tenfold....

    KuCion crypto confirms 150 million dollar security breach

    Cyber criminals were able to steal from the KuCion crypto and stole coins worth millions. On the evening of last Friday, KuCion crypto noticed...

    Hungarian banks were the target of a massive DDoS attack

    Several banks and the Hungarian Telekom have been the target of a cyber attack. The attacks are said to have come in several waves...

    The source code of Windows XP is leaked

    The source code of Windows XP is currently freely accessible. The media says that data first appeared on 4chan and is currently being exchanged...

    Hackers send malicious Azure Cloud apps to Microsoft

    Microsoft has banned some Azure Cloud applications from its cloud that the company identified as part of an attack infrastructure. Microsoft describes the approach...

    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox