Self-Replicating Worm Module Incorporated in Trickbot Malware

Trickbot malware is a banking Trojan that has been around for some time, although its developers have recently created a WannaCry ransomware-style worm module that allows it to spread much more swiftly.

The latest NotPetya attacks also included a similar module enabling the malware to be deployed in devastating attacks that wiped out complete systems.

This new method of making up the spread of malware quicker takes advantage of a vulnerability in Windows Server Message Block, which is used to find all susceptible computers on a network that connect via the Lightweight Directory Access Protocol (LDAP).

Since the exploit is readily available, hackers can use it in conjunction with malware to share infections more effectively and quickly. Worms were once widespread, although their use has died out. The use of worm-like elements with the WannaCry and NotPetya attacks has shown just how effective they can be, and also served as a warning of why they were popular initially.

Far from rarely seen malware variants, we could be about to see a increase in the use of worm-like modules. Luckily, for the time being at least, the worm module in Trickbot malware does not seem to be fully operational. That said, the malware is always being redeveloped so it is likely that the flaws will be fixed soon.

The malware can obtain access to online banking accounts allowing the hackers to empty bank accounts.  It is quickly becoming one of the main banking Trojans, according to IBM X-Force. It is , at present, being used in targeted attacks on groups in the financial sector around the world, with the latest campaigns targeting banks in the UK and United States. They can spread throughout a network rapidly will make it much more dangerous.

Aside from the new worm-like module another change has been discovered. PhishMe reports that it has identified a difference in how the Trojan is shared. Attacks have taken place using malvertising campaigns this year that redirect web users to sites hosting the Rig exploit kit, although Trickbot is mainly shared via spam email sent via the Necurs botnet.

The most recent change to the Trickbot malware campaign is assisting the threat actors to evade antivirus solutions. Prior to this, the Trojan has been downloaded via macro scripts in specially designed office documents. The most recent campaign update sees the hackers deploy a Windows Script Component (WSC) containing XML-format scripts. The same delivery method has also been used to deliver GlobeImposter ransomware.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has focus on data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone.