August 3, 2017 by

TrickBot influenced by WannaCry and Petya, adds a self-spreading Worm Module

Security researchers have discovered that the latest version of Trickbot has been using the Windows Server Message Block (SMB). This is the same worm module used by WannaCry and Petya that allowed them to spread around the globe quickly.

“Even though the worm module appears to be rather crude in its present state, it’s evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and ‘NotPetya’ and is attempting to replicate their methodology.”

TrickBot is a banking Trojan malware, known as “1000029” (v24), that has been targeting financial institutions since 2016. TrickBot acquires the use of phishing techniques to lure users to open email attachments claiming to be a large international financial institution. However, when the user clicks on the link it leads them to a fake login page, the user then proceeds to input their login information, however instead the attacker steals the user’s credentials.

Researchers at the security firm, Flashpoint, first discovered the newly added worm module in TrickBot. This new added protocol makes it possible for the malware to spread more easily to intended targets in the financial sector. The Server Message Block (SMB), a Windows networking protocol was first exploited by a vulnerability through the WannaCry malware. TrickBot leverages this vulnerability to their own advantage, using SMB to identify all computers in a network which connect through the lightweight directory access protocol (LDAP). To get the ability to spread through interprocesses communication and to download added versions of TrickBoT onto shared drives, the trojan can be disguised as a setup.exe and distributed via a PowerShell script.

Security researchers are perceiving that the criminals behind the new variant of TrickBot have more tricks up their sleeves. Saying, “Flashpoint assesses with moderate confidence that the Trickbot gang will likely continue to be a formidable force in the near term,”

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

US Directly Blames North Korea for WannaCry Cyberattack

The White House under President Trump’s administration has blamed North Korea behind WannaCry -...

Read more arrow_forward

The UK’s NHS Toughens Cybersecurity Defenses after WannaCry Ransomware

The United Kingdom’s National Health Service (NHS) is set to spend £20 million on a new security...

Read more arrow_forward

UK Govt Blames North Korea for WannaCry Ransomware CyberAttack

  The UK government has blamed North Korea for WannaCry - the comprehensive ransomware...

Read more arrow_forward