PINDROP BLOG

Trickbot Adds New Worm Capability

Malware authors and cybercrime gangs, like professionals in legitimate fields, watch their competition closely and take what works and add it to their own arsenals. The latest evidence of this comes in the form of a new function added to the Trickbot banking trojan that allows it to spread in worm-like fashion using SMB.

That technique is one used quite successfully by both the WannaCry and NotPetya ransomwarevariants, and a new version of Trickbot is employing it, as well. Both of those pieces of malware used an exploit for a vulnerability in the Windows implementation of SMB in order to spread once they were on a network. The Trickbot variant recently discovered by researchers at Flashpoint doesn’t seem to have an exploit for that flaw yet, but it may be on the way.

“The Trickbot gang appears to be testing a worm-like malware propagation module, which appears to spread locally via Server Message Block (SMB), scan domains for lists of servers via NetServerEnum Windows API, and enumerate other computers via Lightweight Directory Access Protocol (LDAP) enumeration. As of this writing, this malware feature does not appear to be fully implemented by the criminal gang as the initial purported SMB exploit has not yet been observed,” Vitali Kremez of Flashpoint said in his analysis of the malware.

Trickbot is a baner trojan that’s known to target a number of financial institutions, and the emergence of a variant with worm-like spreading capabilities is an interesting development. Most banking malware is designed to stay as quiet as possible and go about the business of grabbing users’ sensitive information and then draining their bank accounts. Spreading over a network can be noisy and attract attention, which is sub-optimal for banking malware.

The new variant looks like a test version to check out the new capability, Kremez said. But it’s likely that a fully operational version won’t be far behind.

“Such worm-like infections might add the Trickbot gang to expand a number of customers of financial institutions in an effort to conduct more account takeover (ATO) fraud,” Kremez said.

“Even though the worm module appears to be rather crude in its present state, it is evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and “NotPetya” and is attempting to replicate their methodology.”

CC By-sa license image from Will Powell