Malware Review – TrickBot

Smarttech247 Threat Hunting

Smarttech247 Threat Hunting

Malware Review – TrickBot

Earlier this week, the Smarttech247 Security Operations Centres noticed unusual activity that related to the banking trojan TrickBot. An IP addressed was found to be doing large scale scanning campaign from the IP 130.185.250.51 being controlled out of Belize. The IP initially began scanning port 3389 and then NTP. While we are still unsure of the aim of the scanning campaign, the event brought TrickBot back into the team discussions in the Smarttech247 offices this week.

First created in 2016, TrickBot is a banking Trojan that predominately targets Windows machines and earned the name of one of the top-ranked threat for businesses in 2018 when there was a sharp increase in the presence of the trojan in North America, Europe, Africa and the Middle East. The banking trojan has several capabilities including harvesting emails, harvesting credentials and stealing from Bitcoin wallets and has now grown to include even more dangerous capabilities including disabling Microsoft’s built in antivirus and spreading itself to other computers on the same network as the infected device.

TrickBot usually infects devices in the form of spam campaigns designed to lure and trick the users of the PC into divulging personal data, clicking an infected link or downloading a malicious file or being spread laterally using the EternalBlue exploit. The use of the EternalBlue exploit is what makes this malware particularly dangerous as any infected machine on the network can infect any other computer on the same network, even those that have been previously cleansed. A typical endpoint user will often not see any obvious symptoms of an infection but changes in traffic or attempts to reach blacklisted IPS and domains may be seen by the network administrator.

Once it has infected a device, the malware attaches itself to a TeamView directory and executes itself by creating a ‘Modules’ folder that holds encrypted plug and play modules the malware relies on.

Due to the use of the EternalBlue exploit, it can be a long and painstaking process to remediate a device infected by the malware. The devices will have to be isolated, patched and remediated one by one which can be difficult for organisations with no inhouse IT team. The other option is to install an anti-malware program to allow for its detection.

Proactive steps can be taken to prevent infection by the virus in the first place. Employees should be educated on phishing emails. They must report any suspicious emails to the IT department and never open links or attachments. Users should avoid browsing on unsecure, high-risk websites and should immediately leave a suspicious site without clicking on any content. Organisations should ensure that the operating systems of their devices are updated regularly to ensure all security patches are complete.

Smarttech247 Threat Hunting

Smarttech247 Threat Hunting