Trickbot Malware Has New Tricks up Its Sleeve: Coronavirus-Themed Samples Fool Security Products and Target Telecommunication Companies

Trickbot Coronavirus-Themed Samples

Back in 2016, Trickbot started its life as a humble banking trojan, but it quickly became apparent that it was a lot more than that. Right now, close to four years later, it's probably safe to say that it's the most widely used malware family in the world, and there's nothing to suggest that cybercriminals are going to turn away from it any time soon.

Its main appeal lies with its versatility, which comes from its modular design. Malware creators can develop and add plugins and easily make the trojan do a wide range of tasks. Meanwhile, with a few tweaks, Trickbot can become stealthier and extremely difficult to remove. Recent samples discovered by security researchers show why cybercriminals love it so much.

Trickbot samples use the panic surrounding the coronavirus outbreak to evade security solutions

Trickbot, like many other malware families, is using the current coronavirus pandemic in its campaigns. Unlike other gangs, however, the Trickbot operators don't use the outbreak to fool victims into opening a file or clicking on a link. This time, the coronavirus plays a part in fooling the computer.

According to security news website Bleeping Computer, recently, criminals made changes to the malware's crypter – a program designed to encrypt the executable's code and make it appear legitimate. Researchers went through the new files' properties and found out that strings from Coronavirus news reports were placed in fields like "File description," "Product name," and "Copyright."

This looks like a strange move. After all, the sad truth is that regular users are unlikely to research an unknown file in that many details before launching it, and even if they did, there is a good chance that they'll be confused by a Properties page that looks like this. There is method behind all this, though.

Vitali Kremez from SentinelLabs told Bleeping Computer that it's most likely a detection evasion technique. Apparently, Trickbot operators have used it in the past, and it seems to be especially effective against security solutions that rely on artificial intelligence and machine learning.

These new additions suggest that Trickbot's operators are determined to successfully compromise their targets. This, by the way, is also supported by unrelated research conducted by Bitdefender earlier this month.

Trickbot attacks targets through RDP

Bitdefender's researchers were monitoring Trickbot's behavior when in late-January, they noticed that the crooks were pushing an update. There was a new model that the experts hadn't seen before. Some of the functionality wasn't working correctly, which showed that the update was still a work in progress, but despite this, it did manage to give experts an idea of what the crooks' future plans could be.

The new module, along with a configuration file, is downloaded from one of the many available Command & Control (C&C) servers after a successful infection. Trickbot receives a list of targets, and its first task is to see if they have their Remote Desktop Protocol (RDP) services enabled. If a target does have an open RDP, its name is sent back to the C&C through a POST request. The server responds with a collection of usernames and passwords that Trickbot uses to try and brute-force its way in and compromise the targeted organization.

It's difficult to say if the new module has been used in the wild yet. Based on the list of targets Bitdefender's researcher saw, however, it could soon be unleashed against telecommunication companies in the US and Hong Kong. The crooks could also be setting their sights on companies in the financial sector as well as organizations that deal with education and scientific research.

The two new additions represent the latest in a very long line of updates that Trickbot's operators have added to their malware. We can only guess what direction the trojan is going to take next, but we can be fairly sure that it will remain a favorite with the cybercriminals.

March 19, 2020

Leave a Reply