Trickbot, Fast Becoming the Malware Of The Year?
Seems like 2019 is starting to become the year of the Trickbot malware, which received good coverage here in Hackercombat.com for being a nasty fileless virus that typical antivirus software are having a hard time detecting. The first article was dated July 6, 2018, and a follow-up highlighting its dangers dated December 30, 2018. The most unique way of spreading is this malware’s architecture, very modular, expandable by demand and continues to receive fine tuning from its authors since its first discovery in 2018.
The latest variant of Trickbot is the powerful module which gives itself the capability to extract user credential from remote management software such as RDP, VNC etc. The worrying thing about Trickbot is its mere presence may prove the existence of another nasty malware, Emotet. This is a serious hint that may prove that Trickbot and Emotet are developed by the same group of virus authors.
“In January 2019, we saw Trickbot (detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.AD) with new capabilities added to its already extensive bag of tricks. Its authors clearly aren’t done updating Trickbot — we recently found a new variant that uses an updated version of the pwgrab module that lets it grab remote application credentials,” introduced Noel Anthony Llimos, Threat Research Engineer at TrendMicro.
The malware in its initial stages is not self-propagating, it pretends as a Microsoft Excel file embedded by a malicious macro. The email that is used to carry this malicious Excel file in itself pretends to be a legitimate tax incentive message. The Excel file is now known by many antivirus software as Trojan.W97M.MERETAM.A, it is not Trickbot itself, but rather just a bootstrap program to download the main module of Trickbot from the remote server operated by the virus authors, which at the time of this writing are still operating.
“This Trickbot variant is largely similar to the variant we discovered in November. However, the 2019 version adds three new functions, one each for the Virtual Network Computing (VNC), PuTTY, and Remote Desktop Protocol (RDP) platforms. One of the techniques enforced by these new functions encrypts the strings it uses via simple variants of XOR or SUB routines. The module will send the required data via POST, which is configured through a downloaded configuration file using the filename ‘dpost.’ This file contains a list of command-and-control (C&C) servers that will receive the exfiltrated data from the victim,” emphasized Carl Maverick Pascual, Threat Research Engineer, Llimos’ team mate.
The danger of Trickbot able to capture user logins in Putty means a huge blow to the security of Linux servers in the enterprise. As simple as this functionality is this opens bigger possibilities for its authors to create trouble not only for the Windows platform but the very platform that runs the majority of the webservers today – Linux. The authors of Trickbot is really serious of penetrating the Linux platform, given the ssh private key can be stolen along with the hostname, IP address and their usernames.