Cybersecurity researchers have opened the lid on the continued resurgence of the insidious Trickbot malware, making it clear that the Russia-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent counter efforts from law enforcement. “The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between command-and-control servers and victims — making attacks difficult to spot,” Bitdefender said in a technical write-up published Monday, suggesting an increase in sophistication of the group’s tactics. “Trickbot shows no sign of slowing down,” the researchers noted. Now according to Bitdefender, the threat actor has been found actively developing an updated version of a module called “vncDll” that it employs against select high-profile targets for monitoring and intelligence gathering. The new version has been named “tvncDll.” The new module is designed to communicate with one of the nine command-and-control (C2) servers defined in its configuration file, using it to retrieve a set of attack commands, download more malware payloads, and exfiltrate gathered from the machine back to the server. Additionally, the researchers said they identified a “viewer tool,” which the attackers use to interact with the victims through the C2 servers.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased