Pierluigi Paganini January 09, 2020

Researchers at SentinelLabs reported that TrickBot operators used a new PowerShell backdoor in recent attacks aimed at high-value targets.

SentinelLabs experts discovered a new PowerShell backdoor used by TrickBot operators in recent attacks aimed at Powershell high-value targets, such as financial institutions.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. For example, in February 2019 Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.

Initially, TrickBot only included banking Trojan capabilities, over the years the authors implemented new features such as the ability data-stealing functionalities and the capability to drop other payloads.

In August 2019, researchers at Secureworks Counter Threat Unit (CTU) discovered a new TrickBot version that includes new dynamic webinjects in attacks aimed at U.S. mobile users.

The news backdoor, dubbed PowerTrick, was deployed as a PowerShell task through normal TrickBot infections, it is designed to execute commands and return the results in Base64 format.

Experts noticed that the system uses a generated UUID based on computer information as a “botID.”

“The TrickBot cybercrime enterprise actively develops many of its offensive tools such as “PowerTrick” that are leveraged for stealthiness, persistence, and reconnaissance inside infected high-value targets such as financial institutions.” reads the analysis published by SentinelLabs.

“The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks. “

The malicious code could perform several activities, including:

• Perform an initial
• Reset the throttle time or exit depending on response
• Sit in a loop request the next commands to be executed
• Execute received command
• Send back the results or the error message
• Sleep for the throttle amount

PowerTrick is used in conjunction with other frameworks and offensive tools, either paid or freely available for download, for profiling and pivoting.

Experts observed the use of other PowerShell utilities to perform malicious tasks. One of the most commonly used utilities is was ‘letmein.ps1’ which is a Powershell stager for open-source exploitation framework Metasploit.

“The letmein script, in particular, is leveraged frequently to pivot the infection to another framework.” continues the analysis. “It is also used to detonate on other systems after pivoting.”

Once the attackers have profiled the target system and network, they perform and cleanup to remove all

They remove any existing files that did not execute properly and perform lateral movements to a different target in the same network choice.

SentinelLabs’ researchers linked the PowerTrick backdoor to the recently discovered TrickBot Anchor malware, the TerraLoader with the “more_eggs” backdoor onboard.

The experts have also developed mock command-and-control panels that used for the analysis of the “PowerTrick”.

The report published by the experts includes Indicators of Compromise (IoCs), along with other technical details.

Pierluigi Paganini

(SecurityAffairs – hacking, Trickbot)

[adrotate banner=”5″]

[adrotate banner=”13″]