Saturday, May 18, 2024

Trickbot Malware Re-emerging via MS Word Documents with Powerful Code-Injection Technique

Trickbot malware is one of the widely known Banking Trojan emerging again with sophisticated techniques to at target the various financial institutions and large bank to steal the banking credentials.

The current version of Trickbot malware is spreading with a powerful code injection technique to evade the detection, anti-analysis technique and disable the security tools that run in the target victims computer.

Trickbot which is capable of launching MitB attacks originated in the middle of 2016 and it targets financial institutions.

Trickbot have an ability to stealing the data from Microsoft Outlook, locking the victim’s computer, information gathering, network information gathering and domain credentials stealing.

It Also distributed with the technique such as sleep for long and short time to avoid detection for the most of the security software.

How does Trickbot Malware Works 

An initial distribution of Trickbot malware launching via Microsoft word document which contains embedded Macro code.

Word document macro will not be executed directly instead, the user needs to execute enable content and zoomed in/out of the document to complete the execution process which is one of the new technique to evade the sandbox analysis.

Same as a variety of malicious document execute the PowerShell script and download the Trickbot malware and executed it into the victim’s machine.

Once it dropped the payload from it command & control server then the malware sleeps for 30 seconds to evade sandboxes by calling Sleep(30000) and then decrypts its resource using the RSA algorithm.once the sleep time is completed.

Apart from this TrickBot performing hollow process injection using direct system calls and researchers believe that this malware sharing the code with Flokibot malware.

According to cyberbit, It using CreateProcessW to create a suspended process and the malware uses CreateFileW to obtain a handle to ntdll.dll it copies it a buffer allocated by VirtualAlloc using ReadFile, and then allocates another buffer for mapping it to the memory from its raw Copy.

Reading ntdll.dll from the disk

Trickbot using some function(red) for hollowing from direct system calls and some functions(Blue) hollowing from the addresses saved on the stack earlier.

After running the malware, we can see, as in previous variants, it copied itself and its encrypted modules to C:\Users\%USERNAME%\AppData\Roaming\msnet

Organizations should be aware of this new trend to directly call functions via system calls. This technique bypasses security tool hooks and therefore most security products will not detect this threat, Researchers said.

Also Read:

New Version of Trickbot Trojan Spread via Local SMB to Perform NetServer and LDAP Enumeration

Banking Trojan “Trickbot” Powered by Necurs Targeting Financial Institutions


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles