![]() ![]() Screen capture of code that identifies machines which are not domain controllers in a network using LDAP queries Screen capture of code that identifies domain controllers in a network using LDAP queriesįigure 12. Screen capture of code that identifies workstations and servers in a domain using NetServerEnumįigure 11. Trickbot’s worm-like propagation capability was first observed by security researchers from Flashpoint in 2017.įigure 10. The wormDll32 module attempts to identify servers and domain controllers in the network using NetServerEnum and LDAP queries. This service can have the following display names: To make the malware more persistent, it has an auto-start service that allows Trickbot to run whenever the machine boots. A screenshot of setuplog.tmp copied in the administrative shares The file setuplog.tmp is then copied in the administrative shares of the discovered machines or systems.įigure 9. Screen capture of code that enumerates and identifies connected systems using WNetEnumResourceW and GetComputerNameW The shareDll32 module then enumerates and identifies systems connected on the same domain using WNetEnumResource and GetComputerNameW.įigure 8. ![]() The downloaded file is saved as setuplog.tmp Trickbot’s shareDll32 module allows it to connect to a C&C server to download a copy of itselfįigure 7. It connects to a C&C server http//18525139251/radiancepng to download a copy of itself and save it as setuplog.tmp.įigure 6. Trickbot uses the shareDll32 module to help propagate itself throughout the network. We are studying this malware further to see if it is able to steal passwords from password managers that have browser plugins. It should be noted that this Trickbot variant is not capable of stealing passwords from third-party password manager applications. A screen capture of Trickbot’s code that is structured to steal passwords from popular web browsers A screen capture of Trickbot harvesting passwords from open-source FTP WinSCPĪside from stealing credentials from applications, it also steals the following information from several popular web browsers such as Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge:įigure 5. A screen capture of the new module’s code that steals Microsoft Outlook credentialsįigure 4. A screen capture of the new module’s code that steals FTP passwords from FileZillaįigure 3. A screen capture of Trickbot’s new module, pwgrab32, in an affected systemįigure 2. Trickbot’s new module, called pwgrab32 or PasswordGrabber, steals credentials from applications such as Filezilla, Microsoft Outlook, and WinSCP.įigure 1. To gain a better understanding of this threat, we analyzed Trickbot’s different modules, starting with the new pwgrab32 module that we saw this month. Malware authors continue to cash in on Trickbot’s modular structure - its ability to continually update itself by downloading new modules from a C&C server and change its configuration make for a malware that’s ripe for updating. Based on our telemetry, we saw that this Trickbot variant has affected users mainly in the United States, Canada, and the Philippines. ![]() This month, we saw that Trickbot (detected by Trend Micro as TSPY_TRICKBOT.THOIBEAI) now has a password grabber module (pwgrab32) that steals access from several applications and browsers, such as Microsoft Outlook, Filezilla, WinSCP, Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge. Last March, Trickbot added a new module that gave it increased detection evasion and a screen-locking feature. Over time, we’ve seen how cybercriminals continue to add more features to this malware. Trickbot, which used to be a simple banking trojan, has come a long way. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |