Cybersecurity researchers discovered a new module of the Trickbot malware, dubbed ‘masrv’, that is used to scan a local network and make lateral movement inside the target organization.
The masrv module leverage the Masscan open-source utility for local network scanning, it is used to search for other devices with open ports that can be compromised.
Once infected a device, the masrv is used to drop the component and send a series of Masscan commands to scan the local network and send the scan results back to the C2 server.
The bot scans the network for systems with sensitive or management ports left open inside an internal network, then botnet operators can then deploy other modules for lateral movements.
“Recently we have discovered a relatively new module that goes by the name masrv. The module is a network scanner that incorporates the Masscan open-source tool. Additionally, the module contains an unreferenced Anchor C2 communication function and a list of hardcoded IPs which have previously been associated with Anchor and Bazar.” reads the analysis published by Kryptos Logic. “We believe this module is used as one of Trickbot’s network reconnaissance tools to gather more information about the victim’s network.”
The recent module was compiled on December 4, 2020, but experts have yet to observe its use in the wild.
The researchers speculate the module is still under testing, the effort demonstrates that the authors of the malware are improving the Trickbot code after the recent takedown.
Kryptos Logic published a detailed analysis of the new masrv module that also includes indicators of compromise and Yara rules.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Trickbot)
[adrotate banner=”5″]
[adrotate banner=”13″]
Security Affairs Malware newsletter includes a collection of the best articles and research on malware…
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…
Chinese "kill switches" found in Chinese-made power inverters in US solar farm equipment that could…
FBI warns ex-officials are targeted with deepfake texts and AI voice messages impersonating senior U.S.…
Google warns that the cybercrime group Scattered Spider behind UK retailer attacks is now targeting…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver…
This website uses cookies.
