Recently, TrickBot released its 100th version with new features. Now, evidence suggests that TrickBot has nursed itself to its full potential and is evolving.
Although Microsoft attempted to take down TrickBot, the former was only partially successful. Now, with the latest version, the botnet is capable of evading detection, along with other functionalities. This exhibits that it is pretty arduous to take down a botnet entirely.
It is abusing the Microsoft Word command prompt and a scripting language to avoid using any external compiler.
Using cmd.exe, the malware operators can start programs, run commands, delete or move files in the systems, and just about everything else on a system.
TrickBot now injects its DLL into the legitimate Windows Problem Reporting executable directly from memory using code from the 'MemoryModule' project.
It does this while using Doppel Hollowing, or process doppelganging, to evade detection by security software.
The obfuscation and evasion techniques employed by the TrickBot gang are clever tricks to stay hidden and cover up the code and inflict maximum damage.
What others say
ESET was a participant in Microsoft’s TrickBot takedown attempt and has stated that the bot stayed weakened since then.
However, Any.run has stated that TrickBot is coming back on track despite every effort to kill it.
The bottom line
The notorious trojan malware is alive and kicking despite all countermeasures and takedown efforts. Regarding the measures taken against the bot, Bitdefender has aptly asserted, “the endeavor proved to be more like a ‘kneecapping’ operation rather than cutting the hydra’s heads.”