New Trickbot Malware Component Performs Local Network Reconnaissance

Trickbot malware was one of the most prolific malware in 2020, gaining popularity for several malicious operations related to COVID-19 lures. After several ups and downs during a takedown effort in October 2020, Trickbot recently introduced a new module to scan local network systems with open ports for quick lateral movement.

Diving into details

The latest component named masrv was first compiled on December 4, 2020, and it is still under testing. So far researchers have been only able to encounter one variant of this module.
  • According to Kryptos Logic research, Trickbot has been using the masrv component, which likely incorporates a copy of the Masscan open-source utility for local network reconnaissance.
  • The component is being dropped on newly infected devices to find systems with sensitive or management ports left open inside an internal network.
  • The Trickbot operators can use these open ports to deploy other modules and move laterally to infect new systems.

The invincible Trickbot

Trickbot has become the primary de-facto threat to corporate environments after surviving the takedown attempt.
  • In a recent malicious spam campaign, the prolific Trickbot malware was actively targeting legal and insurance verticals in North America by using the lure of a traffic infringement.
  • In January-end, a more persistent version of the Trickbot malware was observed with several enhancements.

Conclusion

The additional module for the local network reconnaissance demonstrates the forthcoming plans of the Trickbot malware operators. The threat actors are eager to infect more systems with sophisticated tricks for future attacks.

Cyware Publisher

Publisher

Cyware