In its 100th update, the Trickbot authors attempt to position their loader
never to touch disk. In his coverage of the update, Lawrence Abrams writes that Vitali Kremez of Advanced Intel discovered this update. This update makes use of an open-source library called MemoryModule and is now injecting itself into wermgr.exe using the process h allowing technique. Once Trickbot has injected itself, it will terminate the original process . With this new update, Trickbot has now made itself nearly lifeless and, as such, making it harder to detect.
Trickbot is the premier criminal malware loading service next to Emotet for access as a service, used by the Conti and Ryuk ransomware gangs. One way to detect and search for Trickbot is to now look for a standalone process of wermgr.exe running long-term without a parent process. Wermgr.exe is the error manager for Windows, so if it runs without a parent process, it is a good indicator that a host is infected. Another is having specific phishing detection rules to assist in the prevention and detection of Trickbot’s spam. If Trickbot is in an enterprise environment, the amount of time necessary for defenders to react to prevent the spread of ransomware is becoming shorter and shorter. For more details, look at November 21st Threat Watch covering Trickbot as well as other malware families.
1⃣"Memory DLL loading code" (Github Copy/Paste)
2⃣Interesting Loader Process (Doppel)|Hollowing Injection via legitimate wermgr.exe w/ CreateProcessInternalW
🛡️Stay protected / 🔎 for wermgr process inj pic.twitter.com/Pq7hWP4MZ6
— Vitali Kremez (@VK_Intel) November 17, 2020