Categories: SecurityWorkspace

TrickBot Malware Update Makes It Harder To Detect

The infamous TrickBot malware has been updated to make it more difficult to detect and block, security researchers say.

TrickBot first emerged in 2016 as a banking trojan, but has since received a variety of new modules allowing it to carry out other types of attacks.

Its current capabilities include stealing information, keys and credentials and providing backdoor access for delivering other malware, including ransomware.

Now the malware has received an update designed to help it evade detection, said researchers at Palo Alto Unit 42.


One of TrickBot’s key features is spreading from an infected Windows client to a vulnerable Domain Controller (DC), carried out using several propagation modules.

One of these, mworm, was updated in April 2020 to a new module called nworm, which adds new stealth features.

A key shift is that nworm now retrieves the TrickBot executable binary in an encrypted form, meaning scanners can’t recognise the executable and remove it.

Mworm previously retrieved the binary in an unencrypted form.

Domain Controller infections caused by the new nworm module are carried out in system RAM memory, meaning it leaves no artifacts on the system, making it still more difficult to detect.

This feature also means that TrickBot doesn’t remain persistent after a reboot, but this doesn’t affect TrickBot’s ability to cause problems, Palo Alto said.


“This shouldn’t be an issue for the malware, because the DC is a server and servers rarely shut down or rebooted like a Windows client,” the company said in an advisory.

“This is a much better method of evading detection on an infected DC,” the company added.

Like mworm, the nworm module is only loaded if the TrickBot infection occurs in an Active Directory environment with a Domain Controller.

Palo Alto said the developments were a “notable evolution” for the “high-profile” malware.

The company said organisations can protect themselves against TrickBot and other malware through security best practices such as running up-to-date versions of Windows.

Like other malware, TrickBot typically spreads through malicious attachments attached to phishing  emails, and relies on unpatched security vulnerabilities to spread within networks.

Microsoft said last month it had detected TrickBot being spread via a phishing campaign using the coronavirus pandemic as its lure.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Advocacy Groups Warn Against Google’s Fitbit Acquisition

Twenty advocacy groups from around the world warn that Google's acquisition of Fitbit risks damaging…

5 mins ago

Google Buys North Smart Glasses, Closes Down Product

Canadian smart glasses maker North acquired by Google, which then immediately kills the next version…

2 hours ago

Twitter Removes Trump Tweet After Copyright Complaint

Twitter continues to challenge tweets from US President Donald Trump, with takedown of tweet due…

3 hours ago

The State of LawTech

What is the current state of LawTech? LawtechUK, will this year, pilot a government-backed LawTech…

24 hours ago

India Bans Chinese Apps Including TikTok

Growing military tensions between China and India sees Chinese apps being banned, including well known…

24 hours ago

Wirecard Munich HQ Searched By Police And Prosecutors

Fintech fraud investigation continues into Wirecard, as German police and prosecutors search bankrupt firm's Munich…

1 day ago