Trickbot malware has been updated with a new method of propagation which makes it even harder to detect.
Starting life as a banking trojan, Trickbot first emerged in 2016 but in the years since it has been repeatedly re-purposed for other means including being used as a fully-fledged information stealer, as well as providing backdoor access to infected machines, enabling cyber criminal groups to use it as gateway for delivering other malware onto already compromised networks.
Trickbot can also operate as a botnet to help spread itself to additional victims, commonly using phishing email spam campaigns to distribute malicious attachments which execute it on a Windows machine if opened. Once executed on a machine, Trickbot can also exploit the EternalBlue vulnerability to move laterally around a network.
Now researchers at Palo Alto Networks have detailed the latest update to Trickbot, one which provides it with a better method of evading detection, which has been in operation since April.
Trickbot is modular, allowing its authors to easily add or remove capabilities and it's this which has enabled the latest change to easily be made.
A module called Mworm has been responsible for helping to spread Trickbot since September last year, but now it's been replaced with a new module – Nworm. Researchers noticed it when it appeared on an infected Windows 7 client and note that it greatly alters Trickbot's HTTP traffic.
SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic spec ..
Support the originator by clicking the read the rest link below.
