TrickBot, a well-known banking trojan, uses a series of modules to accomplish a wide variety of tasks. Some examples of modules are wormWinDll, which uses EternalBlue to spread through a network by exploiting unpatched Windows computers, and DomainDll which steals Active Directory credentials. Binary Defense analysts tracking TrickBot recently discovered a previously unknown TrickBot module. This module, known only by its internal name of “MailClient.dll,” is a modified and updated spam module. Prior to being converted into a module, MailClient was a standalone spam program that would steal from Outlook, Thunderbird, and webmail clients. Aside from the standalone aspect, this functionality hasn’t changed much in the module conversion.
Additionally, Vitali Kremez of Sentinel Labs discovered that TrickBot also introduced a new Active Directory and Registry dumping module called “aDll.dll.” This module uses built-in Windows tools to dump information relating to Active Directory as well as critical registry hives like “HKLM/SAM” or “HKLM/SYSTEM.”