A new module for TrickBot banking Trojan has recently been discovered in the wild that lets attackers leverage compromised systems to launch brute-force attacks against selected Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet.
The module, dubbed "rdpScanDll," was discovered on January 30 and is said to be still in development, said cybersecurity firm Bitdefender in a report shared with The Hacker news.
According to the researchers, the rdpScanDll brute-forcing module has so far attempted to target 6,013 RDP servers belonging to enterprises in telecom, education, and financial sectors in the U.S. and Hong Kong.
The malware authors behind TrickBot specialize in releasing new modules and versions of the Trojan in an attempt to expand and refine its capabilities.
"The flexibility allowed by this modular architecture has turned TrickBot into a very complex and sophisticated malware capable of a wide range of malicious activities, as long as there is a plugin for it," the researchers said.
"From add-ons for stealing OpenSSH and OpenVPN sensitive data, to modules that perform SIM-swapping attacks to take control of a user's telephone number, and even disabling Windows built-in security mechanisms before downloading its main modules, TrickBot is a jack-of-all-trades."
When TrickBot begins its execution, it creates a folder containing the encrypted malicious payloads and their associated configuration files, which includes a list of command-and-control (C2) servers with whom the plugin needs to communicate to retrieve the commands to be executed.
According to Bitdefender, the rdpScanDll plugin shares its configuration file with another module named "vncDll," while making use of a standard URL format to communicate with the new C2 servers — https://C&C/tag/computerID/controlEndpoint
Here, "C&C" refers to the C2 server, "tag," the group tag used by the TrickBot sample, "computerID," the computer ID used by the malware, and "controlEndpoint," a list of attack modes (check, trybrute and brute) and the list of IP address-port number combinations to be targeted via an RDP brute-force attack.
While the "check" mode checks for an RDP connection from the list of targets, the "trybrute" mode attempts a brute force operation on the selected target using a predetermined list of usernames and passwords obtained from endpoints "/rdp/names" and "/rdp/dict" respectively.
The "brute" mode, per the researchers, appears to be still in development. Not only it includes a set of executable functions that aren't invoked, the mode "doesn't fetch the username list, causing the plugin to use null passwords and usernames to authenticate on the targets list."
Once the initial list of targeted IPs gathered via "/rdp/domains" is exhausted, the plugin, then, retrieves another set of fresh IPs using a second "/rdp/over" endpoint.
The two lists, each comprising 49 and 5,964 IP addresses, included targets located in the US and Hong Kong spanning telecom, education, financial, and scientific research verticals.
In addition, the Bitdefender report detailed TrickBot's update delivery mechanism, finding that plugins responsible for lateral movement across the network (WormDll, TabDll, ShareDll) received the most updates, followed by modules that helped carry out the 'system and network' reconnaissance (SystemInfo, NetworkDll), and data harvesting (ImportDll, Pwgrab, aDll) over the course of last six months.
"While monitoring the updates of malicious plugins, we observed that the most frequently updated ones were those performing lateral movement: 32.07% of them were wormDll, 31.44% were shareDll, and 16.35% were tabDll," the researchers observed. "The rest of the plugins had fewer than 5% occurrences."
What's more, the researchers were able to identify at least 3,460 IP addresses that acted as C2 servers across the world, including 556 servers that were solely dedicated to downloading new plugins and 22 IPs that served both roles.
Disseminated via email phishing campaigns, TrickBot began its life as a banking Trojan in 2016, facilitating financial theft. But it has since evolved to deliver other kinds of malware, including the notorious Ryuk ransomware, act as an info stealer, loot Bitcoin wallets, and harvest emails and credentials.
The malspam campaigns that deliver TrickBot use third party branding familiar to the recipient, such as invoices from accounting and financial firms.
The emails typically include an attachment, such as a Microsoft Word or Excel document, which, when opened, will prompt the user to enable macros — thereby executing a VBScript to run a PowerShell script to download the malware.
TrickBot is also dropped as a secondary payload by other malware, most notably by the Emotet botnet-driven spam campaign. To gain persistence and evade detection, the malware has been found to create a scheduled task and a service, and even disable and delete Windows Defender antivirus software.
This led Microsoft to roll out a Tamper Protection feature to safeguard against malicious and unauthorized changes to security features last year.
"The new rdpScanDll module may be the latest in a long line of modules that have been used by the TrickBot Trojan, but it's one that stands out because of its use of a highly specific list of IP addresses," the researchers concluded.
"Using an existing infrastructure of TrickBot victims, the new module suggests attackers may also be focusing on verticals other than financial, such as telecommunications services and education & research."
The module, dubbed "rdpScanDll," was discovered on January 30 and is said to be still in development, said cybersecurity firm Bitdefender in a report shared with The Hacker news.
According to the researchers, the rdpScanDll brute-forcing module has so far attempted to target 6,013 RDP servers belonging to enterprises in telecom, education, and financial sectors in the U.S. and Hong Kong.
The malware authors behind TrickBot specialize in releasing new modules and versions of the Trojan in an attempt to expand and refine its capabilities.
"The flexibility allowed by this modular architecture has turned TrickBot into a very complex and sophisticated malware capable of a wide range of malicious activities, as long as there is a plugin for it," the researchers said.
"From add-ons for stealing OpenSSH and OpenVPN sensitive data, to modules that perform SIM-swapping attacks to take control of a user's telephone number, and even disabling Windows built-in security mechanisms before downloading its main modules, TrickBot is a jack-of-all-trades."
How Does TrickBot RDP Brute-Force Module Work?
When TrickBot begins its execution, it creates a folder containing the encrypted malicious payloads and their associated configuration files, which includes a list of command-and-control (C2) servers with whom the plugin needs to communicate to retrieve the commands to be executed.
According to Bitdefender, the rdpScanDll plugin shares its configuration file with another module named "vncDll," while making use of a standard URL format to communicate with the new C2 servers — https://C&C/tag/computerID/controlEndpoint
Here, "C&C" refers to the C2 server, "tag," the group tag used by the TrickBot sample, "computerID," the computer ID used by the malware, and "controlEndpoint," a list of attack modes (check, trybrute and brute) and the list of IP address-port number combinations to be targeted via an RDP brute-force attack.
While the "check" mode checks for an RDP connection from the list of targets, the "trybrute" mode attempts a brute force operation on the selected target using a predetermined list of usernames and passwords obtained from endpoints "/rdp/names" and "/rdp/dict" respectively.
The "brute" mode, per the researchers, appears to be still in development. Not only it includes a set of executable functions that aren't invoked, the mode "doesn't fetch the username list, causing the plugin to use null passwords and usernames to authenticate on the targets list."
Once the initial list of targeted IPs gathered via "/rdp/domains" is exhausted, the plugin, then, retrieves another set of fresh IPs using a second "/rdp/over" endpoint.
The two lists, each comprising 49 and 5,964 IP addresses, included targets located in the US and Hong Kong spanning telecom, education, financial, and scientific research verticals.
Lateral Movement Plugins on Top
In addition, the Bitdefender report detailed TrickBot's update delivery mechanism, finding that plugins responsible for lateral movement across the network (WormDll, TabDll, ShareDll) received the most updates, followed by modules that helped carry out the 'system and network' reconnaissance (SystemInfo, NetworkDll), and data harvesting (ImportDll, Pwgrab, aDll) over the course of last six months.
"While monitoring the updates of malicious plugins, we observed that the most frequently updated ones were those performing lateral movement: 32.07% of them were wormDll, 31.44% were shareDll, and 16.35% were tabDll," the researchers observed. "The rest of the plugins had fewer than 5% occurrences."
What's more, the researchers were able to identify at least 3,460 IP addresses that acted as C2 servers across the world, including 556 servers that were solely dedicated to downloading new plugins and 22 IPs that served both roles.
A History of Evolving Capabilities
Disseminated via email phishing campaigns, TrickBot began its life as a banking Trojan in 2016, facilitating financial theft. But it has since evolved to deliver other kinds of malware, including the notorious Ryuk ransomware, act as an info stealer, loot Bitcoin wallets, and harvest emails and credentials.
The malspam campaigns that deliver TrickBot use third party branding familiar to the recipient, such as invoices from accounting and financial firms.
The emails typically include an attachment, such as a Microsoft Word or Excel document, which, when opened, will prompt the user to enable macros — thereby executing a VBScript to run a PowerShell script to download the malware.
TrickBot is also dropped as a secondary payload by other malware, most notably by the Emotet botnet-driven spam campaign. To gain persistence and evade detection, the malware has been found to create a scheduled task and a service, and even disable and delete Windows Defender antivirus software.
This led Microsoft to roll out a Tamper Protection feature to safeguard against malicious and unauthorized changes to security features last year.
"The new rdpScanDll module may be the latest in a long line of modules that have been used by the TrickBot Trojan, but it's one that stands out because of its use of a highly specific list of IP addresses," the researchers concluded.
"Using an existing infrastructure of TrickBot victims, the new module suggests attackers may also be focusing on verticals other than financial, such as telecommunications services and education & research."