August 3, 2017 by

TrickBot influenced by WannaCry and Petya, adds a self-spreading Worm Module

Security researchers have discovered that the latest version of Trickbot has been using the Windows Server Message Block (SMB). This is the same worm module used by WannaCry and Petya that allowed them to spread around the globe quickly.

“Even though the worm module appears to be rather crude in its present state, it’s evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and ‘NotPetya’ and is attempting to replicate their methodology.”

TrickBot is a banking Trojan malware, known as “1000029” (v24), that has been targeting financial institutions since 2016. TrickBot acquires the use of phishing techniques to lure users to open email attachments claiming to be a large international financial institution. However, when the user clicks on the link it leads them to a fake login page, the user then proceeds to input their login information, however instead the attacker steals the user’s credentials.

Researchers at the security firm, Flashpoint, first discovered the newly added worm module in TrickBot. This new added protocol makes it possible for the malware to spread more easily to intended targets in the financial sector. The Server Message Block (SMB), a Windows networking protocol was first exploited by a vulnerability through the WannaCry malware. TrickBot leverages this vulnerability to their own advantage, using SMB to identify all computers in a network which connect through the lightweight directory access protocol (LDAP). To get the ability to spread through interprocesses communication and to download added versions of TrickBoT onto shared drives, the trojan can be disguised as a setup.exe and distributed via a PowerShell script.

Security researchers are perceiving that the criminals behind the new variant of TrickBot have more tricks up their sleeves. Saying, “Flashpoint assesses with moderate confidence that the Trickbot gang will likely continue to be a formidable force in the near term,”

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Researcher who found the Wannacry ‘Kill-Switch’ was arrested by FBI

Researcher who found the ‘Kill-Switch’ for Wannacry Ransomware was arrested by FBI. Marcus...

Read more arrow_forward

Ukraine’s Security Service Blames Russia for Petya Cyberattack

Ukraine’s security service has claimed it has obtained proof that its Russian counterpart was...

Read more arrow_forward

Ransomware Woes Sees India Force Microsoft for Cut-Price Upgrade Deal

Following last month’s unprecedented cyberattack led by the WannaCry ransomware, India has...

Read more arrow_forward