Skip to main content

INFORMING THE UNINFORMED. Hackers Release a Latest Version Of Malware Targeting Servers Of Banks, Telecoms and Education Sectors.


A new module for TrickBot banking Trojan has recently been discovered in the wild that lets attackers leverage compromised systems to launch brute-force attacks against selected Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet.
The module, dubbed "rdpScanDll," was discovered on January 30 and is said to be still in development, said cybersecurity firm Bitdefender in a report.
According to the researchers, the rdpScanDll brute-forcing module has so far attempted to target 6,013 RDP servers belonging to enterprises in telecom, education, and financial sectors in the U.S. , Asian Countries and in some African Countries.
The malware authors behind TrickBot specialize in releasing new modules and versions of the Trojan in an attempt to expand and refine its capabilities.

"The flexibility allowed by this modular architecture has turned TrickBot into a very complex and sophisticated malware capable of a wide range of malicious activities, as long as there is a plugin for it," the researchers said.
"From add-ons for stealing OpenSSH and OpenVPN sensitive data, to modules that perform SIM-swapping attacks to take control of a user's telephone number, and even disabling Windows built-in security mechanisms before downloading its main modules, TrickBot is a jack-of-all-trades."

How Does TrickBot RDP Brute-Force Module Work?
When TrickBot begins its execution, it creates a folder containing the encrypted malicious payloads and their associated configuration files, which includes a list of command-and-control (C2) servers with whom the plugin needs to communicate to retrieve the commands to be executed.
According to Bitdefender, the rdpScanDll plugin shares its configuration file with another module named "vncDll," while making use of a standard URL format to communicate with the new C2 servers — https://C&C/tag/computerID/controlEndpoint
Here, "C&C" refers to the C2 server, "tag," the group tag used by the TrickBot sample, "computerID," the computer ID used by the malware, and "controlEndpoint," a list of attack modes (check, trybrute and brute) and the list of IP address-port number combinations to be targeted via an RDP brute-force attack.
cyberattack malware
While the "check" mode checks for an RDP connection from the list of targets, the "trybrute" mode attempts a brute force operation on the selected target using a predetermined list of usernames and passwords obtained from endpoints "/rdp/names" and "/rdp/dict" respectively.
The "brute" mode, per the researchers, appears to be still in development. Not only it includes a set of executable functions that aren't invoked, the mode "doesn't fetch the username list, causing the plugin to use null passwords and usernames to authenticate on the targets list."
Once the initial list of targeted IPs gathered via "/rdp/domains" is exhausted, the plugin, then, retrieves another set of fresh IPs using a second "/rdp/over" endpoint.
                
The two lists, each comprising 49 and 5,964 IP addresses, included targets located in the US, China and in some African Countries, spanning telecom, education, financial, and scientific research verticals.
Lateral Movement Plugins on Top
In addition, the Bitdefender report detailed TrickBot's update delivery mechanism, finding that plugins responsible for lateral movement across the network (WormDll, TabDll, ShareDll) received the most updates, followed by modules that helped carry out the 'system and network' reconnaissance (SystemInfo, NetworkDll), and data harvesting (ImportDll, Pwgrab, aDll) over the course of last six months.

"While monitoring the updates of malicious plugins, we observed that the most frequently updated ones were those performing lateral movement: 32.07% of them were wormDll, 31.44% were shareDll, and 16.35% were tabDll," the researchers observed. "The rest of the plugins had fewer than 5% occurrences."
What's more, the researchers were able to identify at least 3,460 IP addresses that acted as C2 servers across the world, including 556 servers that were solely dedicated to downloading new plugins and 22 IPs that served both roles.

Disseminated via email phishing campaigns, TrickBot began its life as a banking Trojan in 2016, facilitating financial theft. But it has since evolved to deliver other kinds of malware, including the notorious Ryuk ransomware, act as an info stealer, loot Bitcoin wallets, and harvest emails and credentials.
The malspam campaigns that deliver TrickBot use third party branding familiar to the recipient, such as invoices from accounting and financial firms.
The emails typically include an attachment, such as a Microsoft Word or Excel document, which, when opened, will prompt the user to enable macros — thereby executing a VBScript to run a PowerShell script to download the malware.
TrickBot is also dropped as a secondary payload by other malware, most notably by the Emotet botnet-driven spam campaign. To gain persistence and evade detection, the malware has been found to create a scheduled task and a service, and even disable and delete Windows Defender antivirus software.
This led Microsoft to roll out a Tamper Protection feature to safeguard against malicious and unauthorized changes to security features last year.
"The new rdpScanDll module may be the latest in a long line of modules that have been used by the TrickBot Trojan, but it's one that stands out because of its use of a highly specific list of IP addresses," the researchers concluded.
"Using an existing infrastructure of TrickBot victims, the new module suggests attackers may also be focusing on verticals other than financial, such as telecommunications services and education & research."

THN
#osutayusuf

Comments

Popular posts from this blog

Escaped Murder Suspect Finally Arrested in Yumbe Regional Referral Hospital, Yumbe District.

Story by Osuta Yusuf. 19-November-2024. 📸: Eyotre Kennedy handcuffed on bed while receiving medication this morning at Yumbe Regional Referral Hospital in Yumbe District. Eyotre Kennedy originating from Etoko village, Nyoroo Parish, Nyadri Sub-county in Maracha District who has for many years been terrorizing residents in his village, has finally been arrested this Monday morning 19-November-2024 while receiving treatment at Yumbe Regional Referral Hospital in Yumbe District following injuries he sustained from Theft mission on Saturday night 16-November-2024 in Owapi village, Azapi parish in Odupi Sub-county, Terego East Constituency in Terego District. Click here on the link  https://informationispowah.blogspot.com/2024/11/fugitive-who-chopped-3-people-killed.html   to read the story on his Theft of Goats in Terego. Upon getting cut on the finger and leg by the Mob as he attempted to fight and overpower owner of the goats he attempted to steal on Saturday night ...

41-Years-Old Man Digs His Own Grave in Maracha District.

Story by Osuta Yusuf.  Maracha District.  📸: The grave been dug by Mr Opiga Michael, a victim of frustration. Photo taken by Osuta Yusuf , on Wednesday 11-September-2024. The residents of Ebapi village, Baria Parish in Nyadri Sub-county, Maracha east constituency, Maracha District are in shock after a 41 year old man started digging his own grave. The man, identified as Mr Opiga Michael, who seems to be frustrated over some challenges in life, started digging his own grave on Tuesday 10-September-2024 until he was stopped by the elders in Nyaria clan. 📸: Opiga Michael, the Victim of Frustration. Photo by Osuta Yusuf , Information is Power. While speaking to our reporter on Wednesday evening 11-September-2024, Mr Opiga Michael, said, his main plan  was to commit suicide after finishing digging the grave for burying himself, explained that, he feels frustrated, abandoned and hated by his own clan people, whom he accused of piling lies against him a...

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nil...