Along with Emotet, Trickbot has become one of the most versatile and dangerous pieces of modular malware hitting enterprise environments.
Most recently, its creators have added another dangerous module to it, which allows it to extract and exfiltrate credentials from popular remote access software.
Like Emotet, Trickbot started as a pure banking Trojan but was slowly developed through the years and now has many more additional capabilities. It can:
- Achieve persistence (through scheduled tasks)
- Disable Microsoft’s built-in antivirus Windows Defender
- Gather email addresses and send out spam
- Gather system and memory information, user accounts, lists of installed programs and services
- Fingerprint browsers and collect data from them (including passwords)
- Steal passwords from Microsoft Outlook and file transfer apps like WinSCP and Filezilla
- Spread itself to other computers on the same network by exploiting SMB vulnerabilities with the EternalRomance exploit.
Apart from propagating itself via SMB exploits, Trickbot is often dropped by Emotet as a secondary payload. It also arrives in targets’ inboxes via emails carrying malicious URLs and booby-trapped attachments (Word documents with macros).
A new capability
As mentioned before, the latest variant of the malware has acquired a new capability: stealing VNC, PuTTY and RDP credentials.
It extracts VNC credentials from *.vnc.lnk files, PuTTY credentials from saved connection settings, and RDP credentials by taking advantage of the CredEnumerateA API.
The information is then exfiltrated to C&C servers and later likely used to achieve continuous access to infected hosts and/or the network and, apparently, to deliver Ryuk ransomware, which specializes in targeting enterprises.
“These new additions to the already ‘tricky’ Trickbot show one strategy that many authors use to improve the capabilities of their creations: gradual evolution of existing malware,” Trend Micro researchers noted.
“While this new variant is not groundbreaking in terms of what it can do, it proves that the groups or individuals behind Trickbot are not resting on their laurels and continuously improve it, making an already-dangerous malware even more effective.”
Dealing with Trickbot
Most users are unlikely to notice that they’ve been infected with Trickbot, so it’s on enterprise administrators to detect the malware communicating with its C&Cs and exfiltrating data to them, and to clean the infected machines.
Despite security awareness and anti-phishing trainings, sooner or later this or that employee will fall for a malicious email and download Trickbot (or other malware). Patching the SMB vulnerabilities these various threats uses to propagate laterally on the network is a must to prevent constant reinfections.