Since the past takedown attempt in November 2020, TrickBot malware has not only re-emerged, its operators have been launching newer versions from time to time. They have recently released a more persistent version of the malware.
New vs old
The last takedown attempt by security vendors and law enforcement gave a short-term relief to the cyber world. However, it appears that the break has actually provided a head start to TrickBot’s operators for enhancing this malware further.
- IBM Trusteer researchers have examined the new TrickBot version components and released a report with insight comparison details.
- The newest version, numbered 100003 by its developers, has been numbered backward in comparison with the previous versions 1000512 and 1000513.
- This version contains several enhancements, including a modified persistence mechanism and a creative mutex naming algorithm.
- However, it has the same process hollowing code injection tactic, bot configuration scheme with task name modification with a random twist, and the same compromise checks.
TrickBot lives on
TrickBot has nursed itself to its full potential and is evolving continuously.
- In December, Subway UK’s marketing system was hacked to distribute TrickBot-laden (TrickBot v100) phishing emails.
- In the same month, the TrickBot malware was observed with a functionality, designed to inspect the UEFI/BIOS firmware of targeted devices.
A reminder to stay vigilant
The Trickbot malware has been successfully capturing the limelight since its revival. It seems the operators are in full swing, thus, the malware can either become the foot in the door for a number of new targeted attacks or worse. Individuals and organizations must be watchful on high priority to avoid Trickbot imposed dangers.