Even as its owners upgrade the botnet with new anti-analysis features, the renowned TrickBot malware targets customers of 60 financial and technological organizations, including cryptocurrency enterprises, mainly in the United States.
“TrickBot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand,” said Check Point researchers Aliaksandr Trafimchuk and Raman Ladutska in a recently-published report.
TrickBot has constantly changed its strategies to get past security and detection levels, in addition to being both ubiquitous and persistent. To that aim, the malware’s “injectDll” web-injects module, which is in charge of obtaining banking and credential data, uses anti-deobfuscation methods to crash the web page and prevent attempts to inspect the source code.
Anti-analysis guardrails have also been installed to prevent security researchers from sending automated queries to command-and-control (C2) servers in order to get new web injects. Another of TrickBot’s primary features is its capacity to distribute itself, which it accomplishes by stealing users’ passwords and spreading the malware through SMBv1 network share employing the EternalRomance vulnerability via the “tabDLL” module.
A third critical module delivered as part of TrickBot infestations is “pwgrabc.” It is a credential stealer designed to siphon credentials from web browsers and various other apps such as Outlook, Filezilla, Putty, WinSCP, OpenSSH, RDP, OpenVPN, and TeamViewer.
“TrickBot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause greater damage,” stated the researchers. They further said, “the operators behind the infrastructure are very experienced with malware development on a high level as well.”
The results coincide with the disclosure that the TrickBot gang uses metaprogramming techniques in its Bazar malware family to hide its code and defend against reverse engineering. The ultimate objective is to avoid signature-based detection.