SentinelLabs experts discovered a new PowerShell backdoor used by TrickBot operators in recent attacks aimed at Powershell high-value targets, such as financial institutions.
TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. For example, in February 2019 Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.
Initially, TrickBot only included banking Trojan capabilities, over the years the authors implemented new features such as the ability data-stealing functionalities and the capability to drop other payloads.
In August 2019, researchers at Secureworks Counter Threat Unit (CTU) discovered a new TrickBot version that includes new dynamic webinjects in attacks aimed at U.S. mobile users.
The news backdoor, dubbed PowerTrick, was deployed as a PowerShell task through normal TrickBot infections, it is designed to execute commands and return the results in Base64 format.
Experts noticed that the system uses a generated UUID based on computer information as a “botID.”
“The TrickBot cybercrime enterprise actively develops many of its offensive tools such as “PowerTrick” that are leveraged for stealthiness, persistence, and reconnaissance inside infected high-value targets such as financial institutions.” reads the analysis published by SentinelLabs.
“The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks. “
The malicious code could perform several activities, including:
PowerTrick is used in conjunction with other frameworks and offensive tools, either paid or freely available for download, for profiling and pivoting.
Experts observed the use of other PowerShell utilities to perform malicious tasks. One of the most commonly used utilities is was ‘letmein.ps1’ which is a Powershell stager for open-source exploitation framework Metasploit.
“The letmein script, in particular, is leveraged frequently to pivot the infection to another framework.” continues the analysis. “It is also used to detonate on other systems after pivoting.”
Once the attackers have profiled the target system and network, they perform and cleanup to remove all
They remove any existing files that did not execute properly and perform lateral movements to a different target in the same network choice.
SentinelLabs’ researchers linked the PowerTrick backdoor to the recently discovered TrickBot Anchor malware, the TerraLoader with the “more_eggs” backdoor onboard.
The experts have also developed mock command-and-control panels that used for the analysis of the “PowerTrick”.
The report published by the experts includes Indicators of Compromise (IoCs), along with other technical details.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Trickbot)
[adrotate banner=”5″]
[adrotate banner=”13″]
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all…
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical…
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler…
This website uses cookies.