Friday, 28 July 2017

On 06:36 by admin   No comments
Hackers responsible for one of the most common forms of banking trojans have learned lessons fromthe global WannaCry ransomware outbreak and the Petya cyberattack and have equipped their malware with a worm propagation module to more efficiently spread through the networks of financial targets.
The credential-stealing Trickbot has been hitting the financial sector since last year and more recently it has added a long list of UK and US banks to its targets. The attacks are few in number but highly targeted, with the malware spread via spam emails pretending to be from an international financial institution which then leads the victim to a fake login page used to steal credentials.
Now the gang behind Trickbot are testing new new techniques with a new version of the malware - "1000029" - and researchers at Flashpoint who've been watching it say it can spread via Server Message block (SMB) in a crude replication of the exploit which allowed WannaCry and Petya to quickly spread around the world.
A Windows security flaw known as EternalBlue was one of many allegedly known to US intelligence services and used to carry out surveillance before being leaked by the Shadow Brokers hacking group.
The exploit leverages a version of Windows' Server Message Block (SMB) networking protocol to spread itself across an infected network using wormlike capabilities.
Using SMB, Trickbot can now scan domains for lists of servers via NetServerEnum Windows API and establish the number of computers on the network via Lightweight Directory Access Protocol (LDAP) enumeration.
The malware can also leverage inter-process communication to propagate and execute a PowerShell script as a final payload in order to download an additional version of Trickbot - this time asked as "setup.exe" into the shared drive.
Crucially, this test version of Trickbot doesn't appear to be fully implemented by the hacking gang behind the malware, nor does it have the ability to randomly scan external IPs for SMB connections, unlike the worm behind the WannaCry ransomware.
Nonetheless, researchers warn that this development once again demonstrates the evolving, professional work of the cybercrime gang behind Trickbot as they examine further ways to steal financial data from banks and private wealth management firms.
Ultimately, if successfully deployed, the worm could allow Trickbot to infect other computers on the same network as the machine initially compromised by a phishing email, either for the further stealing of credentials and further account take over, or even to rope them into a botnet for further spread of malware.
"Even though the worm module appears to be rather crude in its present state, it is evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and "NotPetya" and is attempting to replicate their methodology," said Vitali Kremez, Director of Research at Flashpoint.
While Trickbot isn't as prolific as the likes of Zeus, Gozi, Ramnit and Dridex, researchers warn that Trickbot will continue to be "formidable force" in future, as its authors look to add more potent capabilities to this dangerous malware.


Post a comment