Usually the 100th release is something to celebrate…well, not if it’s TrickBot!
The group behind the famous malware has just released the hundredth version of the TrickBot malware with a host of new features to evade detection.
Commonly installed via phishing emails or through other malware, TrickBot will quietly run on a victim’s computer while it downloads other modules to perform different tasks: from stealing a domain’s Active Directory Services database to spreading laterally on a network without forgetting the usual suspecets of screenlocking, stealing cookies and browser passwords, and stealing OpenSSH keys.
The new TrickBot Features
This latest build was discovered by Advanced Intel’s Vitali Kremez, who found that they added new features to make it harder to detect.
After Microsoft and their partners performed a coordinated attack against TrickBot infrastructure last month, it was hoped that it would take them some time to recover. Unfortunately, the TrickBot gang is still chugging along, as shown by the release of the TrickBot malware’s hundredth build.
With this release, TrickBot is now injecting its DLL into the legitimate Windows wermgr.exe (Windows Problem Reporting) executable directly from memory using code from the ‘MemoryModule’ project.
“MemoryModule is a library that can be used to load a DLL completely from memory – without storing on the disk first,” explains the project’s GitHub page.
Initially started as an executable, TrickBot will inject itself into wermgr.exe and then terminates the original TrickBot executable.
As you can see, the TrickBot gang has not allowed the disruption of their infrastructure to hold them back, and they continue to integrate new features to prevent the malware from being undetected.
Unfortunately, this means TrickBot is here to stay for the foreseeable future, and consumers and the enterprise need to remain diligent and be smart about what email attachments they open.