A recently observed variant of the TrickBot banking Trojan has added a new module that can lock a victim’s computer for extortion purposes, Webroot reports.
First observed in late 2016 and said to be the work of cybercriminals behind the notorious Dyre Trojan, TrickBot has seen numerous updates that expanded not only its capabilities, but also its target list.
Last year, the malware received an update that added worm-like capabilities, allowing it to spread locally via Server Message Block (SMB).
Webroot now says that the malware attempts to leverage NSA-linked exploits released by Shadow Brokers last year in order to move laterally within compromised networks.
The new TrickBot variant installs itself into the %APPDATA%TeamViewer directory, and once up and running, creates a “Modules” folder to store encrypted plug and play modules and configuration files.
While many of the modules have been already documented, the new Trojan variant also includes a module internally called spreader_x86.dll that Webroot hasn’t seen before. Featuring a large rdata section that contains two additional files, the spreader module contains an executable called SsExecutor_x86.exe and an additional module named screenLocker_x86.dll.
Spreader_x86.dll, the security researchers have discovered, was clearly designed to allow the malware to spread laterally through an infected network by leveraging the NSA-linked exploits.
“This module appears to make use of lateral movement in an attempt to set up the embedded executable as a service on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as parts of the modules reflective dll injection mechanism are stolen from GitHub,” Webroot notes.
The SsExecutor_x86.exe part of the new module is meant to be executed after exploitation, to achieve persistence by modifying registry to add a link to the copied binary to the start-up path of each user account.
Written in Delphi, ScreenLocker_x86.dll represents TrickBot’s first ever attempt at “locking” the victim’s machine. The module exports two functions: a reflective DLL loading function and MyFunction, which appears to be the work in progress.
Should TrickBot indeed gain the locking functionality, it would mean that its developers have decided to switch to a new business model, similar to that employed by ransomware operators.
Locking the computer before stealing the victim’s banking credentials would prevent the credit card or bank theft, which suggests that the cybercriminals might be planning to extort victims to unlock their computers.
The security researchers suggest that, in corporate networks where users are unlikely to be regularly visiting targeted banking URLs, TrickBot would find it difficult to steal banking credentials. Thus, the potential of locking hundreds of machines could prove a more successful money-making model.
“It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them,” Webroot points out.
Related: TrickBot Using Legitimate Looking Sites With SSL Certificates
