New Trickbot Powershell stager “PowerTrick” for High-Value-Targets

Threat Watch

Threat Watch New Trickbot Powershell stager “PowerTrick” for High-Value-Targets

New Trickbot Powershell stager “PowerTrick” for High-Value-Targets

Researchers from Sentinal Labs have discovered a new PowerShell stager (PowerTrick) which is used by TrickBot as an Interactive Network Exploitation shell. Along with the ability to download the DNS-based Anchor malware, this stager typically also uses PowerView, Invoke-SessionGopher, Get-GPPPassword, and Get-VaultCredential, which can be used to perform further reconnaissance and credential theft on a victim’s network. Additionally, PowerTrick can be leveraged for lateral movement on a network.

ANALYST NOTES

As PowerTrick initially starts as a TrickBot infection, it’s important to keep AntiVirus signatures up to date, and actively monitor for any TrickBot infections by looking for scheduled Tasks that execute binaries stored in AppData/Roaming/*. The Blog from Sentinal can be found here: https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/#report

Using Microsoft Sentinel to Detect Confluence CVE-2022-26134 Exploitation

Russia may be Pressing Arrested Cyber Criminals into Service

Get To Know Bob Meindl, Our New CEO!

How Ransomware Capabilities Are Evolving and What You Can Do to Keep Your Organization Secure

Threat Watch