Security Experts:

Connect with us

Hi, what are you looking for?



TrickBot Trojan Gets Worm-Like Infection Powers

A newly observed version of the TrickBot banking Trojan includes a worm-like malware propagation module that allows it to spread locally via Server Message Block (SMB), Flashpoint security researchers warn.

A newly observed version of the TrickBot banking Trojan includes a worm-like malware propagation module that allows it to spread locally via Server Message Block (SMB), Flashpoint security researchers warn.

Built by the Dyre gang, TrickBot emerged last summer when it was still under development, but quickly became a fully-operational threat. By the end of last year, the Trojan had expanded operations to Asia, and was observed this year targeting private bankingpayment processing and Customer Relationship Management (CRM) providers.

As part of a campaign discovered this week, TrickBot was spreading via spam emails impersonating invoices from a large international financial institution, but also included worm-like spreading capabilities, Flashpoint says.

The analyzed version, the security researchers discovered, could spread locally via SMB, could scan domains for lists of servers via NetServerEnum Windows API, and could also enumerate other computers via Lightweight Directory Access Protocol (LDAP).

The new features, however, aren’t fully implemented and the initial purported SMB exploit has not yet been observed, Flashpoint says.

The malware includes “MachineFinder” and “netscan” functions that leverage NetServer Enumeration and LDAP Enumeration functions. Thus, it can list all servers of the specified type that are visible in a domain, and can also “enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.”

Flashpoint also discovered that the Trickbot module includes strings suggesting it uses the Python implementation of the SMB protocol “pysmb” to attempt authentication on Windows 2007, Windows 7, Windows 2012, and Windows 8 operating systems. The threat leverages SMB to determine exploitation.

By leveraging the IPC (interprocess communication) share, the new TrickBot variant also attempts to spread and execute a PowerShell script to download another TrickBot sample onto shared drives and mask it as “setup[.]exe.”

“Notably, this malware does not appear to have logic to randomly scan external IPs for SMB connections – as was the case for the worm that spread the WannaCry ransomware in May 2017,” Flashpoint says.

Based on recently observed campaigns, researchers suggest that TrickBot continues to grow as a banking Trojan with global impact, targeting financial instructions across the world. Last week, Flashpoint noticed the malware adding multiple financial institutions in the United States on its target list, while also targeting users in over a dozen more countries.

After WannaCry and NotPetya brought highlighted the risks SMB and publicly available exploits pose to consumers and businesses worldwide, it’s no wonder more malware authors are experimenting with worm-like capabilities for lateral movement.

Such modules allow malware to compromise other computers on the same Local Area Network, infect more victims, and enlist machines as part of the botnet. Such worm-like infections could help the TrickBot gang conduct more account takeover (ATO) fraud.

“Even though the worm module appears to be rather crude in its present state, it is evident that the TrickBot gang learned from the global ransomware worm-like outbreaks of WannaCry and “NotPetya” and is attempting to replicate their methodology. Flashpoint assesses with moderate confidence that the TrickBot gang will likely continue to be a formidable force in the near term,” Flashpoint says.

Related: Ursnif Banking Trojan Gets Mouse-Based Anti-Sandboxing

Related: TrickBot Targets Payment Processors, CRM Providers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.