TrickBot (WebRoot) ship a new module, “screenlocker”



TrickBot the recent version of banking trojan now includes a screenlocker component, suggesting the malware’s operators might soon start holding victims for ransom if infected targets don’t appear to be e-banking users.

The good news is that the screenlocker mechanism is not fully functional just yet, and appears to still be under development.

Nonetheless, security researchers have spotted the new module dropped on victims’ computers, suggesting development is advanced enough to have reached field trials.




Trickbot Component:

The good news is that TrickBot’s lock screen function is not yet fully functional and seems to be still in development. However, this new component has indeed been found to be installed on the victim’s computer, indicating that the attacker has at least been able to implant it on the infected computer.



WebRoot said that since the beginning of 2016, the TrickBot Bank Trojan has been constantly updating and changing, trying to stay ahead of the defenders forever. TrickBot initially appeared to the public as a bank Trojan, but in recent years it has evolved into a malware downloader.




The “ScreenLocker_x86.dll” file for the component. details as follows:

  • dll – Through the combined use of the “Eternal romance” vulnerability in the NSA hacker’s arsenal and other attacks that may be patched by the MS17-010 security patch, attempts to propagate to other computers via the SMB protocol in the same network;
  • exe – traverses the configuration file in the registry and goes to each configuration file to add the copied binary file link to the boot path to establish a persistence mechanism on the infected computer;
  • dll – The screen used to lock the infected computer is not currently available.



Screenlocker module developed for enterprise networks:

The thing that stands out is the fact that TrickBot already had an SMB self-spreading worm component since the summer of 2017, dropped as a file named wormDll32.dll.

All the three files dropped via this newly discovered module appear to be designed to work together, one after the other, ignoring the original worm component, and with the screenlocker triggered after spreading laterally through a network.

This has led security researchers to believe that this module was developed as a one-click method to monetize infections in corporate networks where users are less likely to use e-banking services, independently from the original SMB worm.

“If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model,” says Jason Davison, Advanced Threat Research Analyst for security firm Webroot.


Most Popular Training Courses at Indian Cyber Security Solutions:


Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

Cybersecurity services that can protect your company:


Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery



Leave a Reply

Your email address will not be published. Required fields are marked *



Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you