Pierluigi Paganini
July 14, 2021
The Trickbot botnet continues to evolve despite the operations conducted by law enforcement aimed at dismantling it. The authors recently implemented an update for the VNC module used for remote control over infected systems.
In October, Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec joined the forces and announced a coordinated effort to take down the command and control infrastructure of the infamous TrickBot botnet.
Even if Microsoft and its partners have brought down the TrickBot infrastructure, its operators attempted to resume the operations by setting up new command and control (C&C) servers online.
Following the takedown, the operators behind the TrickBot malware have implemented several improvements to make it more resilient.
TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. Operators continue to offer the botnet through a multi-purpose malware-as-a-service (MaaS) model. Threat actors leverage the botnet to distribute a broad range of malware including info-stealer and ransomware such as Conti and Ryuk. To date, the Trickbot botnet has already infected more than a million computers.
The most common attack chain observed by threat actors begins via EMOTET malspam campaigns, which then loads TrickBot and/or other loaders.
Trickbot activity started to increase to such levels that in May it was the most prevalent malware on Check Point’s radar.
Since the disruption of the Emotet operations, Trickbot was the most prevalent malware in the threat landscape.
Bitdefender researchers spotted a new version of Trickbot’s VNC module (vncDLL) which was employed in attacks aimed at high-profile targets.
“In May 2021, our systems started to pick up an updated version of the vncDll module that Trickbot uses against select high-profile targets. This module, known as tvncDll, is used for monitoring and intelligence gathering. It seems to be still under development, since the group has a frequent update schedule, regularly adding new functionalities and bug fixes.” states the report published by BitDefender.
The Trickbot module updated0by the authors is called tvncDLL and is used by the botnet to monitor the victim’s activity and information gathering. The module appears to be under development and was frequently updated since its discovery on May 12.
Researchers also noted a spike in C2 centers deployed around the world, most of the C2 servers are currently located in North America (54), followed by France (7).
This module, vncDll/tvncDll, uses a custom communication protocol, the module communicates with the C2 servers that act as mediators between the victims and attackers. The list of C2 servers is defined in a configuration file called vncconfand which includes a list of up to nine IP addresses that allow access to victims behind firewalls.
The VNC component can stop Trickbot and unload it from memory. When an operator initiates communication, the module creates a virtual desktop with a custom interface.
The VNC module creates a virtual desktop with a custom interface when an operator initiates communication. The component is also able to stop the bot and unload it from memory.
Using the Cmd.exe the operators can perform several high-impact actions using PowerShell, such as:
Experts also documented an option dubbed Native Browser that adds a password-stealing functionality and which is in active development.
The report published by BitDefender also includes Indicators of compromise for the recent infections.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Trickbot)
[adrotate banner=”5″]
[adrotate banner=”13″]
