Named masrv, the component incorporates a copy of the Masscan open-source utility in order to scan local networks for other systems with open ports that can be attacked at a later stage.
The idea behind masrv is to drop the component on newly infected devices, send a series of Masscan commands, let the component scan the local network, and upload the scan results to a Trickbot command and control server.
If the scan finds systems with sensitive or management ports left open inside an internal network —which is very common in most companies— the Trickbot gang can then deploy other modules specialized in exploiting those loopholes and move laterally to infect new systems.
Most likely a test module for now
"Not overall novel — but strange for it to be included in Trickbot," Suweera DeSouza, a malware analyst at Kryptos Logic, and the one who discovered masrv, told ZDNet today.
DeSouza said she believes the module is still under testing, something that Trickbot has done before with other modules in the past, which have often ended up being added to its large arsenal of second-stage components.
"We only came across one variant of this module," DeSouza said.
"The recent module compiled was on December 4, 2020. Since then we haven't come across the module being used again."