TrickBot information-stealing malware updated with new ‘nworm’ module that uses encryption and in-memory execution to hinder detection efforts
The infamous TrickBot malware has been updated to make it more difficult to detect and block, security researchers say.
TrickBot first emerged in 2016 as a banking trojan, but has since received a variety of new modules allowing it to carry out other types of attacks.
Its current capabilities include stealing information, keys and credentials and providing backdoor access for delivering other malware, including ransomware.
Now the malware has received an update designed to help it evade detection, said researchers at Palo Alto Unit 42.
One of TrickBot’s key features is spreading from an infected Windows client to a vulnerable Domain Controller (DC), carried out using several propagation modules.
One of these, mworm, was updated in April 2020 to a new module called nworm, which adds new stealth features.
A key shift is that nworm now retrieves the TrickBot executable binary in an encrypted form, meaning scanners can’t recognise the executable and remove it.
Mworm previously retrieved the binary in an unencrypted form.
Domain Controller infections caused by the new nworm module are carried out in system RAM memory, meaning it leaves no artifacts on the system, making it still more difficult to detect.
This feature also means that TrickBot doesn’t remain persistent after a reboot, but this doesn’t affect TrickBot’s ability to cause problems, Palo Alto said.
“This shouldn’t be an issue for the malware, because the DC is a server and servers rarely shut down or rebooted like a Windows client,” the company said in an advisory.
“This is a much better method of evading detection on an infected DC,” the company added.
Like mworm, the nworm module is only loaded if the TrickBot infection occurs in an Active Directory environment with a Domain Controller.
Palo Alto said the developments were a “notable evolution” for the “high-profile” malware.
The company said organisations can protect themselves against TrickBot and other malware through security best practices such as running up-to-date versions of Windows.
Like other malware, TrickBot typically spreads through malicious attachments attached to phishing emails, and relies on unpatched security vulnerabilities to spread within networks.
Microsoft said last month it had detected TrickBot being spread via a phishing campaign using the coronavirus pandemic as its lure.