The TrickBot Trojan has been upgraded with new modules to make detection, and defense, more difficult.
The Trojan is most commonly connected to phishing campaigns which trick users into entering their credentials into phishing and fraudulent banking websites, designed to appear as legitimate services.
Online banking customers from the US, UK, Australia, and other countries are commonly targeted.
The malware has “continually undergone updates and changes in attempts to stay one step ahead of defenders,” according to researchers from Webroot.
Now, a new module has been installed which not only makes discovery more difficult but utilizes a locking system akin to ransomware.
In a blog post on Wednesday, researchers from the cybersecurity firm said that on 15 March, Webroot noticed a new module, tabDll32 / tabDll64, which was downloaded by TrickBot in the first example of the system being utilized in the wild.
The module, known internally as spreader_x86.dll, contains two new executables which enhance the malware’s capabilities.
When TrickBot has compromised a system, it installs itself into a TeamViewer directory and executes, creating a “Modules” folder which stores encrypted plug-and-play modules the malware relies upon.
There are already well-documented injector, DLL tampering, and worm modules, but now, tabDll32 (Spreader_x86.dll) adds two files, SsExecutor_x86.exe and screenLocker_x86.dll.
Spreader_x86.dll attempts to utilize EternalBlue to spread, but the module appears to still be in development as there is evidence of DLL injector mechanisms quickly ripped from GitHub repositories.
The second phase, SsExecutor_x86.exe, runs after the exploit has completed its task. This executable attempts to take over registry use profiles to add a link to the Trojan’s startup path to maintain persistency.
The other executable, ScreenLocker_x86.dll, is an interesting file which attempts to “lock” victim machines in a similar way to ransomware.
Written in Delphi, the module does not appear to be complete, but it does give us an interesting glimpse into the operator’s extortion plans.
“Locking a victim’s computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft,” Webroot says. “However, extorting victims to unlock their computer is a much simpler monetization scheme.”
Webroot says the module is only deployed after infection vectors are complete, and so it is likely that the locking code would be used to “primarily target unpatched corporate networks.”
As corporate users are less likely to be accessing their online bank accounts on the network, locking systems could become a backup money-making scheme for the Trojan.
“The TrickBot authors continue to target various financial institutions across the world, using MS17-010 exploits in an attempt to successfully laterally move throughout a victim’s network,” the researchers say. “This is being coupled with an unfinished “screenLocker” module in a new possible attempt to extort money from victims.”
Webroot added that TrickBot remains in constant development and so we are likely to see more modules and capabilities bolted on to the malware in the future.
Earlier this month, a new campaign dubbed FlawedAmmyy was uncovered by Proofpoint researchers. The campaign utilizes remote access Trojans to compromise PCs, conduct surveillance, and steal sensitive data.