A newly observed version of the TrickBot banking Trojan includes a worm-like malware propagation module that allows it to spread locally via Server Message Block (SMB), Flashpoint security researchers warn.
Built by the Dyre gang, TrickBot emerged last summer when it was still under development, but quickly became a fully-operational threat. By the end of last year, the Trojan had expanded operations to Asia, and was observed this year targeting private banking, payment processing and Customer Relationship Management (CRM) providers.
As part of a campaign discovered this week, TrickBot was spreading via spam emails impersonating invoices from a large international financial institution, but also included worm-like spreading capabilities, Flashpoint says.
The analyzed version, the security researchers discovered, could spread locally via SMB, could scan domains for lists of servers via NetServerEnum Windows API, and could also enumerate other computers via Lightweight Directory Access Protocol (LDAP).
The new features, however, aren’t fully implemented and the initial purported SMB exploit has not yet been observed, Flashpoint says.
The malware includes “MachineFinder” and “netscan” functions that leverage NetServer Enumeration and LDAP Enumeration functions. Thus, it can list all servers of the specified type that are visible in a domain, and can also “enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.”
Flashpoint also discovered that the Trickbot module includes strings suggesting it uses the Python implementation of the SMB protocol “pysmb” to attempt authentication on Windows 2007, Windows 7, Windows 2012, and Windows 8 operating systems. The threat leverages SMB to determine exploitation.
By leveraging the IPC (interprocess communication) share, the new TrickBot variant also attempts to spread and execute a PowerShell script to download another TrickBot sample onto shared drives and mask it as “setup[.]exe.”
“Notably, this malware does not appear to have logic to randomly scan external IPs for SMB connections – as was the case for the worm that spread the WannaCry ransomware in May 2017,” Flashpoint says.
Based on recently observed campaigns, researchers suggest that TrickBot continues to grow as a banking Trojan with global impact, targeting financial instructions across the world. Last week, Flashpoint noticed the malware adding multiple financial institutions in the United States on its target list, while also targeting users in over a dozen more countries.
After WannaCry and NotPetya brought highlighted the risks SMB and publicly available exploits pose to consumers and businesses worldwide, it’s no wonder more malware authors are experimenting with worm-like capabilities for lateral movement.
Such modules allow malware to compromise other computers on the same Local Area Network, infect more victims, and enlist machines as part of the botnet. Such worm-like infections could help the TrickBot gang conduct more account takeover (ATO) fraud.
“Even though the worm module appears to be rather crude in its present state, it is evident that the TrickBot gang learned from the global ransomware worm-like outbreaks of WannaCry and “NotPetya” and is attempting to replicate their methodology. Flashpoint assesses with moderate confidence that the TrickBot gang will likely continue to be a formidable force in the near term,” Flashpoint says.