New TrickBot Variant Targets Telecoms in US, Asia: ReportUpdated Malware Using RDP Brute-Force Methods to Bypass Security
A new variant of TrickBot, which is using remote desktop protocol brute-force methods to target potential victims and bypass security protocols, is mainly targeting telecom services in the U.S. and Hong Kong, attempting to steal intellectual property as well as financial data, according to a report from Bitdefender.
TrickBot is a banking Trojan that acts as a dropper for other malware
The new variant, which Bitdefender researchers discovered in late January, is also targeting education institutions and financial services, according to the report. This version of the malware has the ability to target organizations by using a set of pre-determined usernames and passwords as part of a brute-force attack, the researchers say.
"The new rdpScanDll module [variant] may be the latest in a long line of modules that have been used by the TrickBot Trojan, but it's one that stands out because of its use of a highly specific list of IP addresses," the researchers note. "The new module suggests attackers may also be focusing on verticals other than financial, such as telecommunications services and education and research."
First spotted in the wild in 2016, TrickBot has evolved over the years, with attackers adjusting the code to carry out a variety of attacks. In some cases, threat actors have combined TrickBot with Emotet to deliver ransomware. More recently, the malware has been used in SIM swapping schemes (see: TrickBot Variant Enables SIM Swapping Attacks: Report).
The modular nature of TrickBot means that attackers can develop variants of the malware to suit their needs as they did in version that the Bitdefender researchers found.
In this case, the researchers found three new plug-ins as part of this campaign. The first, called "Check," looks for vulnerable remote desktop protocol connections from the list of targeted IP addresses, according to the report. The second, dubbed "Trybrute," helps execute the brute-force attack on the targeted network by attempting to match a pre-configured list of usernames and passwords, the report notes.
The third plug-in, called "Brute," remains under development and it's true function is still unclear, although it also seems to use a combination of usernames and passwords to authenticate the attack, according to the report.
If this version of TrickBot is successful in brute-forcing the usernames and passwords, it reports back to a command-and-control server for further instructions, according to the report. The researchers note that new command-and-control servers have been added monthly over the last six months.
Bitdefender researchers have identified over 2,900 command-and-control servers, with the majority located in Russia. "We were able to retrieve 3,460 IP addresses, divided into 2,926 command-and-control servers and 556 servers dedicated to downloading new plugins, and 22 IPs serving both roles," the report notes.
After a successful brute-force attack, this version of TrickBot uses the EternalRomance vulnerability in Microsoft Windows to move across the network through the Server Message Block protocol, according to the report.
Once in the network and moving laterally, this TrickBot version conducts reconnaissance; collects data, including browser information, passwords and usernames and details about different directories; exfiltrates data; steals financial information from banking sites; and conducts other brute-force attacks designed to steal credentials, according to the report.
"While the module seems to be under development, as one attack mode seems broken, newer versions of rdpScanDll will likely fix this and potentially add new ones," the researchers report.
Other TrickBot Variants
The operators behind TrickBot have also created a cybercrime-as-a-service model of the Trojan and rent out its capabilities to other cybercrime gangs and hackers backed by nation-states, the security researchers pointed out.
In December 2019, for example, hackers linked to the North Korean government appear to have rented a botnet created by the TrickBot malware, as well as access to a highly customized malicious framework, to help further their goals - including targeting payment systems, according to SentinelLabs (see: North Korean Hackers Tapping Into TrickBot: Report).