Despite the recent coordinated takedown attempt by Microsoft and other groups against the notorious malware TrickBot, the malware operators have released the hundredth build as TrickBot v100 with new detection evading features.
More about the new variant
According to Bleeping Computer, Advanced Intel's Vitali Kremez first spotted the new version of TrickBot.
- The latest variant of TrickBot relies on the fileless method from the MemoryModule library to map its core DLL from memory without relying on filesystem DLL loading.
- With several additional features, such as the capability to steal OpenSSH keys, this variant predominantly focuses on security bypassing tricks.
- It has been using the DLL injection method against legitimate Windows wermgr.exe (Windows Problem Reporting) executable and relies on Doppel Hollowing, or Process Doppelganging method to evade detection by security software.
Recent Trickbot tricks
The mid-October takedown by Microsoft and their partners only showed a limited effect, as TrickBot was discovered to be active in the wild in the same month without taking any time to recover.
- Recently, TrickBot operators have released a new reconnaissance tool dubbed LightBot to scope out an infected victim's network for high-value targets.
- Right after the takedown, the operators started using Linux variants in an attempt to widen the scope of victims that could be targeted.
- As a secondary payload, Emotet malware was seen distributing TrickBot to steal stored passwords, bank information, and other assorted information.
The bottom line
The hundredth version of TrickBot and the use of a reconnaissance tool demonstrate the adaptability and resiliency of the malware operators. For the foreseeable future, the TrickBot gang is not going to hold back. Therefore, organizations should review or establish patching plans, user agreements, and security policies to prevent current cybersecurity threats and make a plan for remediation.