The ongoing revival of malicious TrickBot malware has been revealed by cybersecurity researchers and shows that the Russia-based transnational cybercriminals group is now working behind scenes to upgrade the attack infrastructure in reaction to the recent countermeasures by police forces.
The new uncovered capabilities are utilized to monitor and collect intelligence on victims by using a unique communication protocol that hides data exchanges among servers and victims [command and control], making attacks hard to identify. Also, no indication of slowing down is shown by TrickBot.
Botnets are created by placing hundreds or thousands of hijacked devices on a network managed by criminal operators that are usually used to perform denial-of-network attacks against illicit trafficking companies and key infrastructure. However, malevolent actors may also employ botnets with control over these devices to disseminate malware and spam or to implement ransomware file encryption on compromised computers.
TrickBot is also the same. The well-known cybercrime gang — known as Wizard Spider — has tracked the way infected machines steal confidential information from their sides and pivots across a network and even loads other malware, like ransomware, with their infection chains constantly improved by adding modules that offer new functionalities, to enhance their efficiency.
"TrickBot has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware," Lumen's Black Lotus Labs disclosed last October. "It also infects consumer appliances such as DSL routers, and its criminal operators constantly rotate their IP addresses and infected hosts to make disruption of their crime as difficult as possible."
The threat actor has now been identified, as per Bitdefender. The threat actor has actively built an updated version of the "vncDll" module that uses selected profile targets for surveillance and intelligence gathering. "tvncDll" was the name of the new version.
The botnet has managed to survive two takedown efforts by Microsoft and the United States Cyber Command, which have operators developing firmware intrusion elements that enable hackers to plant backdoors in the Unified Extensible Firmware Interface (UEFI), to avoid anti-virus detection, software update or even complete wipe and reinstallation of the operating system of the computer.
The new module is meant to interact with a server identified in its configuration file as one of nine Command and Control (C2) servers, using the server, to collect several commands, download further malware payloads, and exfiltrate information from your machine.
Further, the researchers also indicate that they have uncovered a "viewer tool," that is used by attackers to connect with victims on servers C2.