Cybersecurity researchers have opened the lid on the continued resurgence of the insidious Trickbot malware, making it clear that the Russia-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent counter efforts from law enforcement. “The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between command-and-control servers and victims — making attacks difficult to spot,” Bitdefender said in a technical write-up published Monday, suggesting an increase in sophistication of the group’s tactics. “Trickbot shows no sign of slowing down,” the researchers noted. Now according to Bitdefender, the threat actor has been found actively developing an updated version of a module called “vncDll” that it employs against select high-profile targets for monitoring and intelligence gathering. The new version has been named “tvncDll.” The new module is designed to communicate with one of the nine command-and-control (C2) servers defined in its configuration file, using it to retrieve a set of attack commands, download more malware payloads, and exfiltrate gathered from the machine back to the server. Additionally, the researchers said they identified a “viewer tool,” which the attackers use to interact with the victims through the C2 servers.
Trickbot is modular malware that is constantly having new features added to it. It started as a credential stealing Trojan of the banking variety. Another recent upgrade was to the RDP bruteforcing module, and this is how Trickbot often gets a foothold on systems. Once a system has been infected with Trickbot, it becomes part of a botnet, and may have other malware, such as ransomware, delivered to it. In order to protect an enterprise environment from Trickbot, implement EDR and good behavioral detections, and possibly use a managed security service provider such as Binary Defense to monitor for alerts and quickly respond at any time of day or night. Since RDP is often an initial foothold, don’t expose RDP to the Internet if at all possible and use two factor authentication.