Trickbot Thrives Again with Virtual Network Computing Module

Trickbot's recent update

• Bitdefender researchers stated that this new version of Trickbot, called tvncDll, was used to compromise high-profile targets.
• The tvncDll module, which is reportedly still under development, allows actors to scan victims’ systems and steal sensitive data.
• The attackers have used a software application called VNCView to connect to victims’ computers.
• It uses a custom communication protocol and reaches the C2 server through one of nine proxy IP addresses to target the victims behind firewalls.

Work in progress

• The group behind tvncDll has set a frequent update schedule, with the regular addition of new functionalities and bug fixes.
• In addition, the VNC component has an under-development function called native- browser, which aims to steal passwords from Google Chrome, Internet Explorer, Mozilla Firefox, and Opera. Currently, it is active only for Internet Explorer.

Trickbot's uprising

• According to Bitdefender, the number of C2 servers has jumped from around 40 in January to more than 140 in June. The majority of the C2 servers are located in North America (54).
• According to Check Point, Trickbot has impacted 7% of organizations across the world, followed by the XMRig cryptocurrency miner and the Formbook info stealer, which affected 3% of organizations.

Summing up