This new Trickbot malware update makes it even harder to detect

The notorious information-stealing trojan is one of the most prolific forms of malware out there - and has evolved yet again.
Written by Danny Palmer, Senior Writer

Trickbot malware has been updated with a new method of propagation that makes it even harder to detect.

Starting life as a banking trojan, Trickbot first emerged in 2016 but in the years since it has been repeatedly re-purposed for other means including being used as a fully-fledged information stealer, as well as providing backdoor access to infected machines, enabling cyber criminal groups to use it as gateway for delivering other malware onto already compromised networks.

Trickbot can also operate as a botnet to help spread itself to additional victims, commonly using phishing email spam campaigns to distribute malicious attachments that execute it on a Windows machine if opened. Once executed on a machine, Trickbot can also exploit the EternalBlue vulnerability to move laterally around a network.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)  

Now researchers at Palo Alto Networks have detailed the latest update to Trickbot, one that provides it with a better method of evading detection, which has been in operation since April.

Trickbot is modular, allowing its authors to easily add or remove capabilities and it's this which has enabled the latest change to easily be made.

A module called Mworm has been responsible for helping to spread Trickbot since September last year, but now it's been replaced with a new module – Nworm. Researchers noticed it when it appeared on an infected Windows 7 client and note that it greatly alters Trickbot's HTTP traffic.

Now when Trickbot infects a domain controller, the malware is run from memory ensuring that no artefacts are left behind on an infected machine, making detection harder. 

In addition to this, the binary used by Nworm is encrypted when transferred over the internet, which also helps to hide the actions of the malware.

"This is the latest in a series of changes in TrickBot as it evolves within our current threat landscape," said Brad Duncan, threat intelligence analyst at Palo Alto Networks' Unit 42 research division.

In March, the authors of Trickbot added capabilities that appear to be designed to help conduct cyber espionage against specific targets – including telecommunications providers, universities and financial services.

SEE: Trickbot malware adds new feature to target telecoms, universities and finance companies

But despite the potent nature of Trickbot, organisations can go a long way to protecting themselves from it.

"Best security practices like running fully patched and up-to-date versions of Microsoft Windows will hinder or prevent Trickbot infections," said Duncan.

EternalBlue, the Windows vulnerability that powered WannaCry ransomware, forms a key part of how Trickbot spreads itself, but despite a patch being released over three years ago, cyber criminals continue to exploit it because there are organisations that still haven't applied it to their networks.

By applying security updates as and when they arrive, organisations can stop themselves falling victim to Trickbot and other malicious hacking campaigns that exploit known vulnerabilities that are sometimes years old.


Editorial standards