Tuesday, January 14, 2025
HomeComputer SecurityTrickbot Malware Re-emerging via MS Word Documents with Powerful Code-Injection Technique

Trickbot Malware Re-emerging via MS Word Documents with Powerful Code-Injection Technique

Published on

Trickbot malware is one of the widely known Banking Trojan emerging again with sophisticated techniques to at target the various financial institutions and large bank to steal the banking credentials.

The current version of Trickbot malware is spreading with a powerful code injection technique to evade the detection, anti-analysis technique and disable the security tools that run in the target victims computer.

Trickbot which is capable of launching MitB attacks originated in the middle of 2016 and it targets financial institutions.

Trickbot have an ability to stealing the data from Microsoft Outlook, locking the victim’s computer, information gathering, network information gathering and domain credentials stealing.

It Also distributed with the technique such as sleep for long and short time to avoid detection for the most of the security software.

How does Trickbot Malware Works 

An initial distribution of Trickbot malware launching via Microsoft word document which contains embedded Macro code.

Word document macro will not be executed directly instead, the user needs to execute enable content and zoomed in/out of the document to complete the execution process which is one of the new technique to evade the sandbox analysis.

Same as a variety of malicious document execute the PowerShell script and download the Trickbot malware and executed it into the victim’s machine.

Once it dropped the payload from it command & control server then the malware sleeps for 30 seconds to evade sandboxes by calling Sleep(30000) and then decrypts its resource using the RSA algorithm.once the sleep time is completed.

Apart from this TrickBot performing hollow process injection using direct system calls and researchers believe that this malware sharing the code with Flokibot malware.

According to cyberbit, It using CreateProcessW to create a suspended process and the malware uses CreateFileW to obtain a handle to ntdll.dll it copies it a buffer allocated by VirtualAlloc using ReadFile, and then allocates another buffer for mapping it to the memory from its raw Copy.

Reading ntdll.dll from the disk

Trickbot using some function(red) for hollowing from direct system calls and some functions(Blue) hollowing from the addresses saved on the stack earlier.

After running the malware, we can see, as in previous variants, it copied itself and its encrypted modules to C:\Users\%USERNAME%\AppData\Roaming\msnet

Organizations should be aware of this new trend to directly call functions via system calls. This technique bypasses security tool hooks and therefore most security products will not detect this threat, Researchers said.

Also Read:

New Version of Trickbot Trojan Spread via Local SMB to Perform NetServer and LDAP Enumeration

Banking Trojan “Trickbot” Powered by Necurs Targeting Financial Institutions

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...

Credit Card Skimmer Hits WordPress Checkout Pages, Stealing Payment Data

Researchers analyzed a new stealthy credit card skimmer that targets WordPress checkout pages by...

Hackers Exploiting YouTube to Spread Malware That Steals Browser Data

Malware actors leverage popular platforms like YouTube and social media to distribute fake installers....