Trickbot Update Moves Off Disk, Becomes Harder to Detect - Binary Defense

Threat Watch

Threat Watch Trickbot Update Moves Off Disk, Becomes Harder to Detect

Trickbot Update Moves Off Disk, Becomes Harder to Detect

In its 100th update, the Trickbot authors attempt to position their loader to evade detection by ~~never~~only briefly to touching the disk. In a summary by~~In his coverage of the update,~~ ~~Lawrence Abrams~~Bleeping Computer writes that Vitali Kremez of Advanced Intel discovered this update, and it does make the malware much more difficult to detect. This update makes use of an open-source library called MemoryModule to load a DLL completely from memory and is now injecting itself into wermgr.exe, the legitimate Microsoft error reporting program, using the process hoallowing technique. Once Trickbot has injected itself, it will terminate the original process and quickly delete its executable file, which was only saved on the disk for a very short time.. With this new update, Trickbot has now made itself nearly ~~lifeless~~ invisible to anti-virus product~~and, as such~~, making it harder to detect.

ANALYST NOTES

Trickbot is the premier criminal malware loading service next to Emotet for access as a service, used by the Conti and Ryuk ransomware gangs. One way to detect and search for Trickbot is to now look for a standalone process of wermgr.exe running long-term without a parent process. Wermgr.exe is the error manager for Windows, so if it runs without a parent process, it is a good indicator that a host is infected. Another is having specific phishing detection rules to assist in the prevention and detection of Trickbot’s spam. If Trickbot is in an enterprise environment, the amount of time necessary for defenders to react to prevent the spread of ransomware is becoming shorter and shorter. For more details, look at November 21st Threat Watch covering Trickbot as well as other malware families.

Refernces:
https://www.bleepingcomputer.com/news/security/trickbot-turns-100-latest-malware-released-with-new-features/
https://github.com/fancycode/MemoryModule

2020-11-17:🆕🔥#TrickBot Banker #Malware | 🥳 100th built ➡️ "1101"

cfg:
1⃣"Memory DLL loading code" (Github Copy/Paste)
2⃣Interesting Loader Process (Doppel)|Hollowing Injection via legitimate wermgr.exe w/ CreateProcessInternalW

🛡️Stay protected / 🔎 for wermgr process inj pic.twitter.com/Pq7hWP4MZ6

— Vitali Kremez (@VK_Intel) November 17, 2020