Now the gang behind Trickbot are testing additional techniques with a new version of the malware -- known as 1000029 -- and researchers at Flashpoint who've been watching it say it can spread via Server Message block (SMB), crudely replicating the exploit that allowed WannaCry and Petya to quickly spread around the world.
Using SMB, Trickbot can now scan domains for lists of servers via the NetServerEnum Windows API and establish the number of computers on the network using Lightweight Directory Access Protocol (LDAP) enumeration.
The malware can also leverage inter-process communication to propagate and execute a PowerShell script as a final payload in order to download an additional version of Trickbot -- this time masked as 'setup.exe' into the shared drive.
Crucially, this test version of Trickbot doesn't appear to be fully implemented by the hacking gang behind the malware, nor does it have the ability to randomly scan external IPs for SMB connections, unlike the worm behind the WannaCry ransomware.
Nonetheless, researchers warn that this development once again demonstrates the evolving, professional work of the cybercrime gang behind Trickbot as they examine further ways to steal financial data from banks and private wealth management firms.
Ultimately, if successfully deployed, the worm could allow Trickbot to infect other computers on the same network as the machine initially compromised by a phishing email, either for the further stealing of credentials and further account take over, or even to rope them into a botnet for further spread of malware.
"Even though the worm module appears to be rather crude in its present state, it is evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and NotPetya and is attempting to replicate their methodology," said Vitali Kremez, director of Research at Flashpoint.
While Trickbot isn't as prolific as the likes of Zeus, Gozi, Ramnit, and Dridex, researchers warn that Trickbot will continue to be "formidable force" in future, as its authors look to add more potent capabilities to this dangerous malware.