Cyber-security experts say they spotted a new component of the Trickbot malware that performs local network reconnaissance.
Named masrv, the component incorporates a copy of the Masscan open-source utility in order to scan local networks for other systems with open ports that can be attacked at a later stage.
The idea behind masrv is to drop the component on newly infected devices, send a series of Masscan commands, let the component scan the local network, and upload the scan results to a Trickbot command and control server.
If the scan finds systems with sensitive or management ports left open inside an internal network —which is very common in most companies— the Trickbot gang can then deploy other modules specialized in exploiting those loopholes and move laterally to infect new systems.
Most likely a test module for now
"Not overall novel — but strange for it to be included in Trickbot," Suweera DeSouza, a malware analyst at Kryptos Logic, and the one who discovered masrv, told ZDNet today.
DeSouza said she believes the module is still under testing, something that Trickbot has done before with other modules in the past, which have often ended up being added to its large arsenal of second-stage components.
"We only came across one variant of this module," DeSouza said.
"The recent module compiled was on December 4, 2020. Since then we haven't come across the module being used again."
A technical analysis and indicators of compromise for the new masrv Trickbot module, authored by DeSouza and her colleagues, is available on the Kryptos Logic blog.
Trickbot is the new king after Emotet's demise
Other malware strains have also been known to include network reconnaissance modules before but such modules aren't a common sighting.
After law enforcement agencies have taken down the Emotet malware botnet last week, Trickbot is now considered the primary de-facto threat to corporate environments.