CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

TrickBot Gets Computer Locking Capabilities

A recently observed variant of the TrickBot banking Trojan

A recently observed variant of the TrickBot banking Trojan has added a new module that can lock a victim’s computer for extortion purposes, Webroot reports.

First observed in late 2016 and said to be the work of cybercriminals behind the notorious Dyre Trojan, TrickBot has seen numerous updates that expanded not only its capabilities, but also its target list.

Last year, the malware received an update that added worm-like capabilities, allowing it to spread locally via Server Message Block (SMB).

Webroot now says that the malware attempts to leverage NSA-linked exploits released by Shadow Brokers last year in order to move laterally within compromised networks.

The new TrickBot variant installs itself into the %APPDATA%TeamViewer directory, and once up and running, creates a “Modules” folder to store encrypted plug and play modules and configuration files.

While many of the modules have been already documented, the new Trojan variant also includes a module internally called spreader_x86.dll that Webroot hasn’t seen before. Featuring a large rdata section that contains two additional files, the spreader module contains an executable called SsExecutor_x86.exe and an additional module named screenLocker_x86.dll.

Spreader_x86.dll, the security researchers have discovered, was clearly designed to allow the malware to spread laterally through an infected network by leveraging the NSA-linked exploits.

“This module appears to make use of lateral movement in an attempt to set up the embedded executable as a service on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as parts of the modules reflective dll injection mechanism are stolen from GitHub,” Webroot notes.

Advertisement. Scroll to continue reading.

The SsExecutor_x86.exe part of the new module is meant to be executed after exploitation, to achieve persistence by modifying registry to add a link to the copied binary to the start-up path of each user account.

Written in Delphi, ScreenLocker_x86.dll represents TrickBot’s first ever attempt at “locking” the victim’s machine. The module exports two functions: a reflective DLL loading function and MyFunction, which appears to be the work in progress.

Should TrickBot indeed gain the locking functionality, it would mean that its developers have decided to switch to a new business model, similar to that employed by ransomware operators.

Locking the computer before stealing the victim’s banking credentials would prevent the credit card or bank theft, which suggests that the cybercriminals might be planning to extort victims to unlock their computers.

The security researchers suggest that, in corporate networks where users are unlikely to be regularly visiting targeted banking URLs, TrickBot would find it difficult to steal banking credentials. Thus, the potential of locking hundreds of machines could prove a more successful money-making model.

“It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them,” Webroot points out.

Related: TrickBot Using Legitimate Looking Sites With SSL Certificates

Related: TrickBot Trojan Gets Worm-Like Infection Powers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights