New propagation module makes Trickbot more stealthy

Trickbot infections of Domain Controller (DC) servers has become more difficult to detect due to a new propagation module that makes the malware run from memory, Palo Alto Networks researchers have found.

That also means that the malware infection can’t survive a shutdown or reboot of the system, but the stealth vs persistence tradeoff is likely to work in the attackers’ favor since servers are rarely shut down or rebooted.

Trickbot’s evolution

Trickbot started as a banking Trojan / information stealer. It was first detected in late 2016 and it’s believed to be the work of the same developers that created the Dyre (aka Dyreza) credential stealer malware.

As predicted at the time, the malware has become a serious threat. Thanks to its modular architecture, the malicious developers have steadily equipped it with additional capabilities, including the ability to disable Microsoft’s built-in antivirus Windows Defender, gather system and account information, send out spam, and spread to other computers on the same network by exploiting SMB vulnerabilities.

Trickbot is also often dropped by Emotet as a secondary payload or is delivered via booby-trapped email attachments, but its lateral propagation mechanism is a big reason why it’s become the bane of many a company’s existence.

A more stealthy mechanism for infecting Domain Controllers

“Trickbot uses modules to perform different functions, and one key function is propagating from an infected Windows client to a vulnerable Domain Controller (DC),” the researchers explained.

Up until April 2020, the malware used three modules for propagation: mshare, tab and mworm:

Trickbot propagation

Since then, the mworm module has been swapped with the nworm module, which:

  • Retrieves an encrypted or encoded malware binary via HTTP traffic (mworm retrieved an unencrypted/unencoded binary)
  • Decodes the binary and runs it in the victim system’s RAM, leaving no discoverable artifacts on an infected DC

Trickbot propagation

As noted before, the in-memory-malware can’t survive a system reboot or shutdown, but the creators are betting on DCs being continuously operational for a long while.

The importance of preventing Trickbot infections

We already know that Trickbot developers are constantly working on improving the malware. This is just the latest improvement and evolution step to stay one step ahead of the defenders.

The best way to keep Trickbot infections at bay is to constantly and promptly update and patch Microsoft clients and servers. Patching the SMB vulnerabilities exploited by Trickbot to propagate laterally on the network is essential to preventing constant reinfections.

The malware, on its own, is definitely bad new for enterprises, but Trickbot infections are also likely to be just one small part of a larger attack that will end with ransomware being deployed on many company systems and an even bigger headache to the victim organizations.

Don't miss