Experts discovered a new Trickbot module used for lateral movement

Experts spotted a new Trickbot module that is used to scan local networks and make lateral movement inside the target organization.

Cybersecurity researchers discovered a new module of the Trickbot malware, dubbed ‘masrv’, that is used to scan a local network and make lateral movement inside the target organization.

The masrv module leverage the Masscan open-source utility for local network scanning, it is used to search for other devices with open ports that can be compromised.

Once infected a device, the masrv is used to drop the component and send a series of Masscan commands to scan the local network and send the scan results back to the C2 server.

The bot scans the network for systems with sensitive or management ports left open inside an internal network, then botnet operators can then deploy other modules for lateral movements.

“Recently we have discovered a relatively new module that goes by the name masrv. The module is a network scanner that incorporates the Masscan open-source tool. Additionally, the module contains an unreferenced Anchor C2 communication function and a list of hardcoded IPs which have previously been associated with Anchor and Bazar.” reads the analysis published by Kryptos Logic. “We believe this module is used as one of Trickbot’s network reconnaissance tools to gather more information about the victim’s network.”

The recent module was compiled on December 4, 2020, but experts have yet to observe its use in the wild.

The researchers speculate the module is still under testing, the effort demonstrates that the authors of the malware are improving the Trickbot code after the recent takedown.

Kryptos Logic published a detailed analysis of the new masrv module that also includes indicators of compromise and Yara rules.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Trickbot)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.