TrickBot (WebRoot) ship a new module, “screenlocker”
Category : Blog
TrickBot the recent version of banking trojan now includes a screenlocker component, suggesting the malware’s operators might soon start holding victims for ransom if infected targets don’t appear to be e-banking users.
The good news is that the screenlocker mechanism is not fully functional just yet, and appears to still be under development.
Nonetheless, security researchers have spotted the new module dropped on victims’ computers, suggesting development is advanced enough to have reached field trials.
The good news is that TrickBot’s lock screen function is not yet fully functional and seems to be still in development. However, this new component has indeed been found to be installed on the victim’s computer, indicating that the attacker has at least been able to implant it on the infected computer.
WebRoot said that since the beginning of 2016, the TrickBot Bank Trojan has been constantly updating and changing, trying to stay ahead of the defenders forever. TrickBot initially appeared to the public as a bank Trojan, but in recent years it has evolved into a malware downloader.
The “ScreenLocker_x86.dll” file for the component. details as follows:
- dll – Through the combined use of the “Eternal romance” vulnerability in the NSA hacker’s arsenal and other attacks that may be patched by the MS17-010 security patch, attempts to propagate to other computers via the SMB protocol in the same network;
- exe – traverses the configuration file in the registry and goes to each configuration file to add the copied binary file link to the boot path to establish a persistence mechanism on the infected computer;
- dll – The screen used to lock the infected computer is not currently available.
Screenlocker module developed for enterprise networks:
The thing that stands out is the fact that TrickBot already had an SMB self-spreading worm component since the summer of 2017, dropped as a file named wormDll32.dll.
All the three files dropped via this newly discovered module appear to be designed to work together, one after the other, ignoring the original worm component, and with the screenlocker triggered after spreading laterally through a network.
This has led security researchers to believe that this module was developed as a one-click method to monetize infections in corporate networks where users are less likely to use e-banking services, independently from the original SMB worm.
“If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model,” says Jason Davison, Advanced Threat Research Analyst for security firm Webroot.
Most Popular Training Courses at Indian Cyber Security Solutions:
Cybersecurity services that can protect your company: