TrickBot Runs Around with a Head Full of Steam

Recently, TrickBot released its 100th version with new features. Now, evidence suggests that TrickBot has nursed itself to its full potential and is evolving.

The scoop

Although Microsoft attempted to take down TrickBot, the former was only partially successful. Now, with the latest version, the botnet is capable of evading detection, along with other functionalities. This exhibits that it is pretty arduous to take down a botnet entirely. 

TrickBot tricks

  • It is abusing the Microsoft Word command prompt and a scripting language to avoid using any external compiler. 
  • Using cmd.exe, the malware operators can start programs, run commands, delete or move files in the systems, and just about everything else on a system.
  • TrickBot now injects its DLL into the legitimate Windows Problem Reporting executable directly from memory using code from the 'MemoryModule' project.
  • It does this while using Doppel Hollowing, or process doppelganging, to evade detection by security software.
  • The obfuscation and evasion techniques employed by the TrickBot gang are clever tricks to stay hidden and cover up the code and inflict maximum damage.

What others say

  • ESET was a participant in Microsoft’s TrickBot takedown attempt and has stated that the bot stayed weakened since then. 
  • However, Any.run has stated that TrickBot is coming back on track despite every effort to kill it. 

The bottom line

The notorious trojan malware is alive and kicking despite all countermeasures and takedown efforts. Regarding the measures taken against the bot, Bitdefender has aptly asserted, “the endeavor proved to be more like a ‘kneecapping’ operation rather than cutting the hydra’s heads.”