Another Sophisticated Addition by TrickBot

Recently, TrickBot banking trojan has been grabbing the news headlines due to its attacks against businesses. In April this year, the trojan operators updated one of its propagation modules.

What is happening

One of TrickBot’s functions is traveling from an infected Windows client to a vulnerable DC (domain controller). The propagation is done via three modules. Last month, the trojan was found to shift from the “mworm” module to the “nworm” module.

What are the modules

TrickBot is a modular trojan, which signifies that it utilizes several binaries to conduct various functions during an infection. Since September 2019, the modules have been:
  • Mworm
  • Mshare
  • Tab

However, in April 2020, TrickBot made a sudden change to move a new artifact termed nworm from the usually used mworm, which appeared on an infected Windows 7 client.

Differences between nworm and mworm

  • The HTTP traffic caused by nworm for follow-up TrickBot EXEs is different than the one caused by mworm.
  • The TrickBot caused by nworm is non-persistent as compared to mworm. No artifacts are found on the infected DC and the TrickBot does not survive a reboot.
  • The nworm module assists the trojan to evade detection in an infected DC.

To conclude

An infection propagated via nworm is run from system memory and is encrypted. This allows the attackers to go undetected. This is the latest change brought on my TrickBot as threat actors are getting sophisticated with the evolving global cyber landscape.