When journalists and researchers talk about the information-stealing trojan Trickbot a number of superlatives are used to describe how successful the malware has become. In many cases, Trickbot has earned those superlatives as it is one of the most notorious pieces of malware currently making up the threat landscape. Three recent events in the malware life cycle prove this viewpoint. Early in 2019, Trickbot partnered with the equally notorious ransomware Ryuk in order to share resources and victims. The event showed that the operators behind Trickbot are willing to partner up for the good of turning even more profit. Then in the last quarter of 2019, the malware was upgraded to include a module that allowed for SIM swapping attacks. Then in March of this year Ryuk, with the help of Trickbot, added the Fortune 500 Company EMCOR to the ransomware ever-increasing victim list.
Now Trickbot again makes headlines as it has received yet another upgrade to help ensure infections continue. In a report published by Palo Alto Networks details how the info-stealing malware has evolved yet again to include a new and improved propagation method that makes it harder to detect the malware. This new upgrade forms another chapter in a long list of upgrades that began in 2016 with the start of the malware life cycle. At the start the malware was designed specifically to fill the role of a banking trojan, that being a piece of malware that targets and steals banking information and credentials.
This then the original purpose has been subverted to include an entire host of other features that make Trickbot a full-featured information stealer. Further upgrades to the malware have enabled it to create backdoors onto systems as well as being able to drop other types of malware onto an already infected machine, as has been the case with Ryuk. Central to the overriding success of Trickbot is its modular design allowing new and improved modules to be bolted onto the existing code base and further increasing the already long feature list.
This modular design has enabled Trickbot to further enhance its capabilities by acting as a botnet by spreading the malware to other users via generated spam email campaigns. Trickbot is also capable of spreading laterally across a network through the incorporation of the EternalBlue vulnerability leaked online by the ShadowBrokers and was used successfully in the WannaCry ransomware attacks. Palo Alto Networks’ research reveals that a new add-on helps the malware evade detection during the malware propagation. The new module called “nworm”, which replaces the previous “mworm” module that served a similar purpose. It appears that the new module has actively been used in campaigns dating back to April 2020.
Nworm vs Mworm
The new module forms part of three other modules the malware uses to propagate, including the EternalBlue module mentioned above. Due to the differences, it has with the previous mworm it can be seen as an upgrade. These include nworm's ability to retrieve encrypted or coded binaries over network traffic that include Trickbot executable files, mworm could only retrieve the executable which was not encrypted. Nworm leaves no artifacts on an infected machine when the machine was infected by the nworm module. The artifacts themselves disappear upon a system reboot or shutdown. Lastly, nworm is run from system RAM which is a much better tactic for evading detection than those incorporated in mworm.
The first campaign seen in the wild which had mworm as a feature dates back to September 2019. The upgrade to nworm shows how capable the malware’s developers are when looking to upgrade their creation. With such a rapid development cycle it becomes harder for those defending networks to do so. When this is combined with new upgrades, like running from the infected systems RAM to evade detection the threat posed by the malware is worthy of the reputation it has steadily earned since 2016.
While infection via the nworm module is not persistent on the machine following a reboot or shutdown the main target of Trickbot appears to be domain controllers forming part of servers. This means that not remaining persistent is not an issue to continued operations as servers are not machines needing to be rebooted often. As to the overall effect of the new update researchers concluded that the best defense against potential infection is,
“An infection caused by nworm is run from system memory, leaves no artifacts on an infected DC, and disappears after a reboot or shutdown. Furthermore, the TrickBot binary used by nworm is encrypted or otherwise encoded when it is retrieved over the Internet. These characteristics are likely an attempt by TrickBot developers to avoid detection. This is the latest in a series of changes in TrickBot as it evolves within our current threat landscape. However, best security practices like running fully-patched and up-to-date versions of Microsoft Windows will hinder or prevent TrickBot infections.”
Not the Only Upgrade to be Worried About
The addition of the nworm is not the only upgrade that should have those defending networks placed on high alert. In March 2020 the malware developers included another module that allows for the malware to specifically target universities, financial institutions, and telecommunications providers. Details about the March upgrade were published in a blog post by Bitdefender. The campaign which included the new update had been active since January 2020. In order to target those organizations mentioned above the malware targets a pre-selected base of IP addresses in all likelihood chosen by the malware’s authors.
The malware then tries to brute force its way into the target's network. The method employed by the malware is brute-force attack remote desktop protocol (RDP) connections. This is done by entering numerous username and password combinations until one grants the attacker access. This is one of the reasons it is advised to use strong passwords and never rely on default passwords. Further, enabling two-factor authentication will help prevent brute-force attacks from being successful.
The upgrade showed another side to those operating the malware in that they looked to specifically target specific organizations within preselected economic sectors. Researchers determined that the brute-force attack used a specific list of username and password combinations, rather than employing a dictionary attack where a much larger library of potential usernames and passwords are used to try and gain access. By using a paired down list it was believed that the attackers were using combinations that occur frequently among network administrators. Once access was gained via compromising RDP connections the malware then looks to spread laterally across the network using the EternalBlue vulnerability.
Given the targets of the above campaign, it was assumed that the attackers were going after critical information or intellectual property; telecoms services may give attackers surveillance capabilities, they can tap into telecommunications networks. Further, by targeting higher learning the main aim would be the theft of intellectual property, while financial institutions could be to leverage stock market information to bring in revenue or the outright theft of funds.
As to the EternalBlue exploit, it is important to note that it received a patch years ago. Despite this Trickbot and numerous other malware variants still look to spread laterally across networks using the well-known vulnerability. As it is still a vital part of malware operations it is clear that the flaw is still expected by hackers to be useful and necessary to a successful campaign. This further means that those employed to maintain networks are guilty of not patching networks. Playing the blame game may not be helpful in combatting cyber threats, but the same tactics are still as effective as they were three years ago, this implies that there is a clear need for more education regarding cyber threats.
Trickbot not only employs old tactics but continually receives updates that make it more effective, harder to detect, and overall a greater threat than previous versions. As Trickbot is used by a number of hackers it has become increasingly difficult to predict the malware's next move and much of the malware’s command and control structure is located within Russia bringing down those responsible is a near-impossible task. This means that being proactive in defending the network remains the best defense. This includes keeping software up to date, enabling two-factor authentication, and installing recommended security suites is still great advice but not advice heeded.