Search This Blog

Showing posts with label TrickBot trojan. Show all posts

TrickBot Added New Stealthy Backdoor for High-Value Targets



The authors behind the infamous TrickBot malware – a modular banking trojan that targets sensitive financial information and also acts as a dropper for other malware–have developed a stealthy custom backdoor, circulating by the name 'PowerTrick', to monitor high-value targets and infiltrate them accordingly.

Statistics demonstrate that TrickBot is one of the top crimeware codes and cyberattack groups in existence currently. Developers behind TrickBot have made frequent upgradations in order to evade detection even fluently, empower its stealth, make it hard to research and let it bypass security configurations on user devices.

PowerTrick has been primarily created as an attempt to keep up with the fast paced era of constantly evolving defense mechanisms by effectively bypassing some of the most sophisticated security controls and highly secured networks of high value. Referencing from the statements given by SentinelLabs security researchers, Vitali Kremez, Joshua Platt and Jason Reaves on Thursday, "The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure air-gapped high-value networks."

According to the analysis, PowerTrick is configured to carry out commands and send back the results in the Base64 format. It is injected as a follow-up module after the victim's system has been infected by the TrickBot.

How does it work?

During the examinations, researchers discovered an initial backdoor script being sent out, at times draped as a Powershell task, it goes on to establish contact with command-and-control (C2) server. Once the contact has been successfully established, the authors send their very first command which leads to the downloading of the main PowerTrick backdoor. After the installation of the same, the malware starts executing common backdoor functions, it carries out check-in and then awaits further commands to act upon. Once received, it acts upon these commands and returns the results/errors.

“Once the system and network have been profiled, the actors either stealthily clean up and move on to a different target of choice, or perform lateral movement inside the environment to high-value systems such as financial gateways,” as per the SentinelLab analysis.

"TrickBot has shifted focus to enterprise environments over the years to incorporate many techniques from network profiling, mass data collection, incorporation of lateral traversal exploits,” researchers concluded.

“This focus shift is also prevalent in their incorporation of malware and techniques in their tertiary deliveries that are targeting enterprise environments, it is similar to a company where the focus will shift depending on what generates the best revenue.”

Alert! TrickBot Trojan and Ryuk Ransomware spreads through Japan, as the holiday season approaches


The most dangerous and active banking trojan family according to IBM X-Force data, TrickBot has been modifying it's malware’s modules lately, as the threat group launches in the wild. As the infection campaign spreads around the globe - Japan has become its new growing target ahead of the holiday season. Just ahead of the holiday's TrickBot campaigns usually target European and western countries and other parts of the world but this is the first time they have focused on Japan.


And also, just in time for the holidays when they'll be shopping extensively. Thus, the Japanese consumers should be wary of these infections as they target banks, online shopping payment cards, telecommerce, a bitcoin exchange, e-wallets, and others. TrickBot has been loaded with hundreds of targeted URLs belonging to banks and other retailers. Emotet botnet is also dropping TrickBot to other devices.

The most common attack includes web injections on bank websites leading to banking frauds. On-the-fly injections, used by TrickBot lures the victim into revealing personally identifiable information (PII), payment card details and PIN codes. This is not the first time Eastern European gangs attacked the country, other trojans like URLZone and Gozi (Ursnif) have been prevalent in Japan for years now. For Japanese Businessmen - Beware! Not only TrickBot but Ryuk Ransomware is also spreading through the region TrickBot, being already a worrisome banking plague is not only limited to that.

The Japanese companies should also be wary of the growing ransomware attacks because the TrickBot can usher in Ryuk Ransomware Attacks along with it. It's a kill chain that starts with Emotet and TrickBot and leads to Ryuk attack, ransomware that locks the system demanding millions of dollars. If such Ryuk or TrickBot attack is suspected, then you should immediately launch response plans and contain the infection or contact security companies without wasting precious time as these infections spread fast and wide.