Security researchers have discovered that the latest version of Trickbot has been using the Windows Server Message Block (SMB). This is the same worm module used by WannaCry and Petya that allowed them to spread around the globe quickly.
“Even though the worm module appears to be rather crude in its present state, it’s evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and ‘NotPetya’ and is attempting to replicate their methodology.”
TrickBot is a banking Trojan malware, known as “1000029” (v24), that has been targeting financial institutions since 2016. TrickBot acquires the use of phishing techniques to lure users to open email attachments claiming to be a large international financial institution. However, when the user clicks on the link it leads them to a fake login page, the user then proceeds to input their login information, however instead the attacker steals the user’s credentials.
Researchers at the security firm, Flashpoint, first discovered the newly added worm module in TrickBot. This new added protocol makes it possible for the malware to spread more easily to intended targets in the financial sector. The Server Message Block (SMB), a Windows networking protocol was first exploited by a vulnerability through the WannaCry malware. TrickBot leverages this vulnerability to their own advantage, using SMB to identify all computers in a network which connect through the lightweight directory access protocol (LDAP). To get the ability to spread through interprocesses communication and to download added versions of TrickBoT onto shared drives, the trojan can be disguised as a setup.exe and distributed via a PowerShell script.
Security researchers are perceiving that the criminals behind the new variant of TrickBot have more tricks up their sleeves. Saying, “Flashpoint assesses with moderate confidence that the Trickbot gang will likely continue to be a formidable force in the near term,”