Trickbot has evolved again with a new module, called rdpscanDll, which allows computers infected with Trickbot to scan other systems on the network for Remote Desktop Protocol (RDP) access. As there have been several critical RDP vulnerabilities released recently, this is yet another example of TrickBot evolving its techniques in order to infect the highest number of victims. Binary Defense’s analysts are currently reverse-engineering the module to identify behavioral signatures that can help better protect people and data from this threat.
As RDP is a crucial service for many organizations, Binary Defense recommends the following security hardening practices:
• Use strong passwords to prevent brute force attacks.
• Enable Network Level Authentication, which forces users to authenticate before a session is established with the RDP server.
• Change the RDP port from the default port of 3389 to prevent scanners looking for open port 3389.
• Use a Remote Desktop Gateway Server, which will give even stronger security controls, such as Two-Factor Authentication (2FA). Additionally, the logs for RDP would be stored on the Gateway, making it harder for threat actors to remove crucial forensic evidence.
• Create a whitelist of IP addresses or IP address ranges for users that need access to RDP, if practical. Block all other IPs.
Additional information, including file hashes of malware samples, can be found in this tweet: https://twitter.com/BitdefenderLabs/status/1222998350448013312