TrickBot banking trojan is now using a botnet to do maximum damage.
The TrickBot Trojan now has a new and upgraded module. This module ensures that is nearly invisible to all most any cybersecurity solution available on the market.
TrickBot is a banking Trojan that is used against the customers of major banks.
It is distributed through phishing campaigns, and the main purpose is to steal users credentials by using phishing and fraudulent banking websites, designed to appear as legitimate services.
This cybersecurity problem affects online banking customers from the US, UK, and Australia, but it can be used to target other countries too.
This malware it’s developed like any other software, the cybercriminals behind it are maintaining and updating it continues to stay one step ahead of any cybersecurity solution.
A couple of days ago, a new module was implemented through an update which not only makes detection more difficult but is also using ransomware that is locking the targeted system. This new module is making this trojan even more dangerous because it is now using WannaCry Microsoft Windows vulnerability EternalBlue.
To be safe and secured you must implement a viable and robust cybersecurity solution, for an individual, the best cybersecurity solution comes in the form of antivirus for Windows or antivirus for Mac depending on which OS their device is running. For companies, the step previously presented represents only the first layer of cybersecurity, to obtain the best cybersecurity measure every company must hire a cybersecurity firm that will attack purpose company’s network to reveal the most destructive and dangerous flaws.
This kind of deliberate attacks is done through specialized cybersecurity tests like penetration test and ethical hacking tests.
The new module was detected on 15 March by some malware researchers during a malware analysis, the name of the new module is tabDll32 / tabDll64, and it’s not the only module that has been updated. The module, known as spreader_x86.dll is now containing two new executables that enhance the malware’s capabilities.
After TrickBot infects a system, it installs itself into a TeamViewer directory and creates a “Modules” folder which is used to store encrypted plug-and-play modules the malware will use when they are needed.
This folder contains injector, DLL tampering, and worm modules, and now the new tabDll32 adds to Spreader_x86.dll two files, SsExecutor_x86.exe and screenLocker_x86.dll.
Spreader_x86.dll is the one that uses EternalBlue to spread.
SsExecutor_x86.exe attempts to take over registry use profiles to add a link to the Trojan’s startup path to maintain persistence.
ScreenLocker_x86.dll is used to lock victim’s device in a similar way to ransomware.
This locking module is only deployed after infection vectors are completed.
This module is used against corporate users because they are less likely to be accessing their online bank accounts on the company’s network and locking their systems can become a money-making backup scheme for the TrickBot Trojan.
TrickBot remains in constant development, and so we are likely to see more modules and capabilities bolted on to the malware in the future.
Cybercriminals behind The TrickBot Trojan will continue to target various financial institutions across the world by using new and improved modules.
We recommend the implementing of a robust cybersecurity solution into your devices like an antivirus for Windows or antivirus for Mac depending on which OS are your machines running.
It is also recommended for every company to hire specialized cybersecurity firms that will perform various tests like a penetration test and various ethical hacking tests to reveal audited company network flaws.
For companies that are operating their activity 100% online, we recommend the using of cyber-secured web hosting services.