Getty Images/iStockphoto

Hackers Update Notorious TrickBot Malware to Evade Detection

The TrickBot malware variant, commonly used before ransomware deployments and designed to steal information, has been updated to evade detection, according to Palo Alto Networks.

The notorious Trickbot malware variant, frequently used prior to the deployment of ransomware and other malware, has been updated to evade detection, according to new research from Palo Alto Networks Unit 42. Its propagation module known as “mworm,” is now an “nworm,” which leaves no traces on a victim’s computer and disappears after a reboot or shutdown.

Since April 2020, the hackers have ceased using the mworm module altogether and are now primarily leveraging nworm. And researchers noted that TrickBot infections on the DC do not survive a system reboot.

“A TrickBot infection caused by the new mworm module is run from system RAM and does not appear to remain persistent on an infected host. This is a much better method of evading detection on an infected DC,” researches explained. “One key function is propagating from an infected Windows client to a vulnerable Domain Controller (DC).”

“In cases where mshare and tab infect a vulnerable DC with TrickBot, these infections remain persistent on the DC, but TrickBot caused by nworm is not persistent. This shouldn’t be an issue for the malware because the DC is a server and servers rarely shut down or reboot like a Windows client,” they added.

TrickBot is a hacking trojan designed to steal information, while providing backdoor access used by hackers to distribute other malware. Recently, researchers have tied its use to attacks launched prior to ransomware deployments, while Microsoft found TrickBot hackers are the most prolific malware operation leveraging COVID-19 lures.

Its plugins automatically assess a system on which its landed to determine whether it has reached a valuable target. According to Palo Alto, TrickBot uses modules to perform various tasks. In the majority of TrickBot infections, the basis is a malicious Windows executable file saved to the disk.

The EXE method is commonly called a TrickBot loader, as it loads the variant’s modules that are “dynamic link libraries (DLLs) or EXEs run from system memory." Researchers explained that while previous TrickBot infections detected on Windows 10 can only be seen in artifacts found in system memory, Windows 7 infections also have artifacts related to modules stored on the disk as encrypted binaries.

The update to nworm will instead enable the malware to retrieve encrypted or otherwise encrypted binary through network traffic, representing a TrickBot executable. Wherein, using the older mworm module would sent the executable file without encryption.

Overall, researchers stressed that the update indicates it’s likely TrickBot hackers are working to evolve in the current threat landscape, while the changes occurred to ensure the threat actors evade detection.

To mitigate the risk posed by the malware, organization must ensure they’ve employed best practice security policies, including routine patch management processes that ensure systems are operating the most up-to-date versions to “hinder or prevent TrickBot infections.”

“TrickBot is a significant threat that has received high-profile coverage in recent years, and this is a notable evolution,” researchers concluded.

"The fact that the malware explicitly targets domain controllers underscores how critical it is to properly configure, monitor, and be in a position to recover your core identity platform, Active Directory,"Gil Kirkpatrick, Chief Architect of Semperis, told HealthITSecurity.com in an emailed statement.

The healthcare sector has a massive endpoint problem, given the troves of IoT medical devices, legacy systems, and other endpoints. Many entities may even be unaware of how many devices are operating within its network at a given time. Further, MalwareBytes found overall detections of targeted endonts attacks on the sector double in 2019.

Researchers have stressed that healthcare organizations must employ key security tools to shore up defenses against endpoint threats, like TrickBot, which can include a tool to block attacks and seek out suspicious behavior and one able to identify threats based on behavior. Further, employee security training can help the workforce better detect and understand the importance of reporting suspicious behavior.

Entities can also reveiw recent National Security Agency guidance on mitigating webshell and malware vulnerabilities.

Next Steps

Dig Deeper on Cybersecurity strategies