Trickbot Malware returns with new VNC Module to spy on its victims. According to cybersecurity experts, Trickbot malware is being used by cybercriminals based in Russia trying to regroup their efforts after law enforcement agencies went after their infrastructure.
Bitdefender in a post on Monday said, “The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between [command-and-control] servers and victims — making attacks difficult to spot.”
The researchers specifically mentioned having found traces of Trickbot malware used increasingly.
Criminal operators usually create botnets using hundreds or thousands of hacked devices to form a network, which is used to launch DDOS attacks. These attacks flood the business and critical infrastructure networks with fake traffic which knocks it off. Bad actors can also use botnets to spread malware and spam or to deploy file-encrypting ransomware on the infected computers once in control of such devices.
What is TrickBot Malware?
TrickBot Malware is identical to the Wizard Spider, known to exploit infected systems to steal sensitive information. It is also able to pivot laterally across the network and be a loader for other malware while improving the infection chain constantly by adding modules with new functionality to increase its effectiveness.
Earlier October 2021, Lumen’s Black Lotus Labs disclosed, “TrickBot has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware. It also infects consumer appliances such as DSL routers, and its criminal operators constantly rotate their IP addresses and infected hosts to make disruption of their crime as difficult as possible.”
Microsoft and the US Cyber Command have twice attempted to bring down the botnet. Operators managed to develop firmware meddling components to plant a backdoor in the Unified Extensible Firmware Interface (UEFI). This enabled the bad actors to evade being detected by antivirus, software updates, or even a total wipeout and reinstallation of the computer’s operating system.
Bitdefender revealed threat actors are actively developing an updated version called “tvncDll”, of a module called “vncDll”. It employs against select high-profile targets for monitoring and intelligence gathering.
The “tvncDll” mobile is designed to communicate with one of the nine command-and-control (C2) servers defined in its configuration file. It will be able to retrieve a set of attack commands, download more malware payloads, and exfiltrate gathered from the machine back to the server. The researchers also mentioned a “viewer tool,” which the attackers use to interact with the victims through the C2 servers.
According to Microsoft, efforts to squash the gang’s operations have not been entirely successful. It worked with internet service providers (ISPs) to go door-to-door replacing routers compromised with the Trickbot malware in Brazil and Latin America. As of now, they have been able to effectively put a plug on Trickbot infrastructure in Afghanistan.