Categories: SecurityWorkspace

TrickBot Malware Update Makes It Harder To Detect

The infamous TrickBot malware has been updated to make it more difficult to detect and block, security researchers say.

TrickBot first emerged in 2016 as a banking trojan, but has since received a variety of new modules allowing it to carry out other types of attacks.

Its current capabilities include stealing information, keys and credentials and providing backdoor access for delivering other malware, including ransomware.

Now the malware has received an update designed to help it evade detection, said researchers at Palo Alto Unit 42.


One of TrickBot’s key features is spreading from an infected Windows client to a vulnerable Domain Controller (DC), carried out using several propagation modules.

One of these, mworm, was updated in April 2020 to a new module called nworm, which adds new stealth features.

A key shift is that nworm now retrieves the TrickBot executable binary in an encrypted form, meaning scanners can’t recognise the executable and remove it.

Mworm previously retrieved the binary in an unencrypted form.

Domain Controller infections caused by the new nworm module are carried out in system RAM memory, meaning it leaves no artifacts on the system, making it still more difficult to detect.

This feature also means that TrickBot doesn’t remain persistent after a reboot, but this doesn’t affect TrickBot’s ability to cause problems, Palo Alto said.


“This shouldn’t be an issue for the malware, because the DC is a server and servers rarely shut down or rebooted like a Windows client,” the company said in an advisory.

“This is a much better method of evading detection on an infected DC,” the company added.

Like mworm, the nworm module is only loaded if the TrickBot infection occurs in an Active Directory environment with a Domain Controller.

Palo Alto said the developments were a “notable evolution” for the “high-profile” malware.

The company said organisations can protect themselves against TrickBot and other malware through security best practices such as running up-to-date versions of Windows.

Like other malware, TrickBot typically spreads through malicious attachments attached to phishing  emails, and relies on unpatched security vulnerabilities to spread within networks.

Microsoft said last month it had detected TrickBot being spread via a phishing campaign using the coronavirus pandemic as its lure.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Microsoft Executive Indicates Departmental Hiring Slowdown

Amid concern at the state of the global economy, a senior Microsoft executive tells staff…

1 day ago

Shareholders Sue Twitter, Elon Musk For Stock ‘Manipulation’

Disgruntled shareholders are now suing both Twitter and Elon Musk, over volatile share price swings…

1 day ago

Google Faces Second UK Probe Over Ad Practices

UK's competition watchdog launches second investigation of Google's ad tech practices, and whether it may…

1 day ago

Elon Musk Raises His Contribution To Twitter Acquisition

But one of Elon Musk's biggest backers on the Twitter board has tendered his resignation…

2 days ago

Broadcom Confirms VMware Acquisition For $61 Billion

Entry into cloud infrastructure software for US chip firm Broadcom after it confirms reports it…

2 days ago