TrickBot, a well-known banking trojan, uses a series of modules to accomplish a wide variety of tasks. Some examples of modules are wormWinDll, which uses EternalBlue to spread through a network by exploiting unpatched Windows computers, and DomainDll which steals Active Directory credentials. Binary Defense analysts tracking TrickBot recently discovered a previously unknown TrickBot module. This module, known only by its internal name of “MailClient.dll,” is a modified and updated spam module. Prior to being converted into a module, MailClient was a standalone spam program that would steal from Outlook, Thunderbird, and webmail clients. Aside from the standalone aspect, this functionality hasn’t changed much in the module conversion.
Additionally, Vitali Kremez of Sentinel Labs discovered that TrickBot also introduced a new Active Directory and Registry dumping module called “aDll.dll.” This module uses built-in Windows tools to dump information relating to Active Directory as well as critical registry hives like “HKLM/SAM” or “HKLM/SYSTEM.”
The appearance of the new MailClient module means that defenders must be aware that infected computers may be used to send email messages with malicious attachments from corporate email accounts to internal or external partners. While most corporations scan incoming emails for threats, it also important to detect threats in outgoing email messages. Although TrickBot uses several techniques to evade anti-virus detection, it is possible to detect infections by alerting on events such as scheduled tasks executing binary files in unusual locations in the file system, especially user profile folders. Skilled analysts in a Security Operations Center (SOC) can determine whether the unusual files represent a threat or not. Remediating a TrickBot infection requires removing both the binary and the scheduled task.