News

New TrickBot Component Conducts Local Network Intelligence

Researchers from Kryptos Logic have discovered a new component of the TrickBot botnet that conducts intelligence on the local network.

In the fall of 2020, was carried out a large-scale operation that aimed eliminating one of the largest botnets of our day, TrickBot. It was attended by law enforcement agencies, specialists from the Microsoft Defender team, the non-profit organization FS-ISAC, as well as ESET, Lumen, NTT and Symantec.

However, even then, many experts wrote that although Microsoft was able to disable the TrickBot infrastructure, most likely, in the end, the botnet will “survive”, and eventually its operators will put into operation new control servers, continuing their activity.

“TrickBot cycles through the entire server list until it finds a working server. As long as even 1 server on the list is online they can just push out a new config with more servers. Also I just looked and they pushed a new server list with 100% working servers”, – wrote MalwareTech experts on Twitter.

Unfortunately, this is what happened. At the end of last year, TrickBot returned to service and received many updates: there were new obfuscation methods, a new management infrastructure, and soon analysts noticed new spam campaigns.

And now, as tell researchers from Kryptos Logic, they have discovered a new TrickBot component.

The component is named masrv and includes a copy of Masscan, an open-source utility for scanning local area networks looking for systems with open ports. The way masrv works is simple: it downloads to newly infected devices, sends a series of Masscan commands to scan the local network, and then transmits the results of this scan to the command server.

“We believe this module is used as one of Trickbot’s network reconnaissance tools to gather more information about the victim’s network”, — report Kryptos Logic researchers.

If masrv detects systems with open ports on the local network, the TrickBot operators use them to move laterally across the victim’s network: deploy other modules specializing in using similar loopholes and infect new hosts.

Experts at Kryptos Logic note that the new module is still at the testing stage, and so far they have managed to find only one version of it.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

Back to top button