New Trickbot Powershell stager “PowerTrick” for High-Value-Targets - Binary Defense

Threat Watch

Share on facebook
Share on twitter
Share on linkedin

New Trickbot Powershell stager “PowerTrick” for High-Value-Targets

Researchers from Sentinal Labs have discovered a new PowerShell stager (PowerTrick) which is used by TrickBot as an Interactive Network Exploitation shell.  Along with the ability to download the DNS-based Anchor malware, this stager typically also uses PowerView, Invoke-SessionGopher, Get-GPPPassword, and Get-VaultCredential, which can be used to perform further reconnaissance and credential theft on a victim’s network.  Additionally, PowerTrick can be leveraged for lateral movement on a network.

ANALYST NOTES

As PowerTrick initially starts as a TrickBot infection, it’s important to keep AntiVirus signatures up to date, and actively monitor for any TrickBot infections by looking for scheduled Tasks that execute binaries stored in AppData/Roaming/*. The Blog from Sentinal can be found here: https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/#report

Contact Support

Please complete the form below and a member of our support team will respond as quickly as possible.