Trickbot banking malware has new trick

Share this…

As per discovery of security researchers, the Trickbot malware has been updated with you capabilities to evade detection and lock victim’s computers.

The malware targets customers of major banks. According to a blog post by researchers at Webroot, the updated Trickbot has “continually undergone updates and changes in attempts to stay one step ahead of defenders”.


Information security training researchers said that they observed a module (tabDll32 / tabDll64) being downloaded by TrickBot that has not been seen in the wild before this time. The malware is still, however, uses the MS17-010 Eternalblue vulnerability.

The new module named spreader_x86.dll, exports four functions like the other TrickBot modules.  “The file has an abnormally large rdata section which proves to be quite interesting because it contains two additional files intended to be used by spreader_x86.dll. The spreader module contains an additional executable SsExecutor_x86.exe and an additional module screenLocker_x86.dll,” information security training researchers told.

According to Jason Davison, advanced threat research analyst, the module screenLocker_x86.dll attempts to lock a user’s machine. “Similarly, to the other TrickBot modules, this module was written in Delphi. This is the first time TrickBot has shown any attempt at “locking” the victim’s machine,” he said.

If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model.  “Locking a victim’s computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft. However, extorting victims to unlock their computer is a much simpler monetization scheme,” he said.

It was notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks.

“In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them. On a corporate network, where users are unlikely to be regularly visiting targeted banking URLs, ex filtrating banking credentials is a less successful money-making model compared to the locking of potentially hundreds of machines,” the information security training analyst said.

The TrickBot authors continue to target various financial institutions across the world, using MS17-010 exploits in an attempt to successfully laterally move throughout a victim’s network. “This is being coupled with an unfinished “screenLocker” module in a new possible attempt to extort money from victims.”

Davison warned that the TrickBot banking Trojan remains under continual development and testing in a constant effort by its developers to stay one step ahead.

Andy Norton, director of threat intelligence at Lastline, told that it’s not just financial institutions that are targeted, it is the customers of financial institutions and the finance function that are always targeted. “The reason is again, that the bad guys are closer to the money. The side effect of having multiple payloads in order to maximize the chance of making money is that, from a behavioral analysis alerting perspective these threats light up like a Christmas tree. Adding Dynamic or behavioral analysis to an organizations defense in depth strategy, will protect organizations from this type of threat,” the information security training researcher said.

Matt Walmsley, EMEA director at Vectra told that Trickbot’s use of a network worm means it is spreading like wildfire across vulnerable systems.

“Whilst there are technical workarounds one can take around the configuration of SMB v1 to try and mitigate against Trickbot, most enterprises remain blind in terms of spotting active attacks inside their network as they move laterally. And of course, the time old adage of patch, patch, and patch still rings true. Even in financial services that typically have a high level of security maturity, detection and isolation is key, but to do so in a time-critical manner is beyond the ability of manual threat hunting. If you want to get ahead of the attack it is imperative to spot the early indicators, and that’s a job best done using automated threat hunting techniques powered by AI,” he said.