Cyber security researchers have opened the veil on the continuing resurgence of the insidious Malware TrickBot, making it clear that the Russian-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent law enforcement counter-efforts.
“The new capabilities discovered are being used to monitor and collect information on victims, using a customized communication protocol to mask data transmissions between [command-and-control] servers and victims – making attacks hard to spot “, Bitdefender mentionned in a technical article published on Monday, suggesting an increase in the sophistication of the group’s tactics.
“Trickbot shows no signs of slowing down,” the researchers noted.
Botnets are formed when hundreds or thousands of hacked devices are enrolled in a network run by criminal operators, which are then often used to launch network denial attacks in order to strike businesses and critical infrastructure with traffic. fictitious in order to take them offline. But with control of these devices, malicious actors can also use botnets to spread malware and spam, or to deploy file-encrypting ransomware to infected computers.
TrickBot is no different. The notorious cybercrime gang behind the operation – dubbed Magical spider – has a habit of exploiting infected machines to steal sensitive information, rotate sideways on a network and even become a loader for other malware, such as ransomware, while constantly improving their infection chains by adding modules with new features to increase its efficiency.
“TrickBot has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware,” Lumen’s Black Lotus Labs disclosed last October. “It also infects consumer devices such as DSL routers, and its criminal operators are constantly spinning their IP addresses and infected hosts to make disrupting their crime as difficult as possible. “
The botnet has since survived two dismantling attempts by Microsoft and the US Cyber Command, operators developing interference components of firmware that could allow hackers to crash a backdoor in the Unified Extensible Firmware Interface (UEFI), allowing it to evade antivirus detection, software updates or even a total erasure and reinstallation of the computer’s operating system.
According to Bitdefender, the threat actor was found actively developing an updated version of a module called “vncDll” which he uses against some high profile targets for surveillance and intelligence gathering. The new version was named “tvncDll”.
The new module is designed to communicate with one of the nine Command and Control (C2) servers defined in its configuration file, using it to retrieve a set of attack commands, download more software payloads malware and exfiltrate the collected data from the machine to the server. Additionally, the researchers said they identified a “visualization tool,” which attackers use to interact with victims through C2 servers.
While efforts to crush the gang’s operations may not have been entirely successful, Microsoft Told The Daily Beast that he worked with Internet Service Providers (ISPs) to replace routers compromised by Trickbot malware door-to-door in Brazil and Latin America, and that he effectively disconnected the Trickbot infrastructure in Afghanistan .