Wednesday, October 28, 00:40
Home security TrickBot: Exploits infected PCs to launch RDP brute-force attacks

TrickBot: Exploits infected PCs to launch RDP brute-force attacks

A new module for TrickBot banking Trojan was recently discovered that allows attackers to exploit compromised systems to launch brute-force attacks against selected Windows systems running a RDP (Remote Desktop Protocol) Internet connection.

The module, named "rdpScanDll", was discovered on January 30 and is said to be still in the environment, Bitdefender said in a report published in The Hacker.

According to researchers, the rdpScanDll brute-forcing module has so far attempted to target 6.013 RDP servers owned by businesses in the field. telecommunications, education and finance in the US and Hong Kong.

Creators of TrickBot malware specialize in the release of new modules and versions of Trojan in an effort to expand and improve its capabilities.

“The flexibility of module design has made TrickBot a very sophisticated and sophisticated malware capable of a wide range of malicious activities", Said the researchers.

“Add-ons for hiding sensitive OpenSSH and OpenVPN data in units that perform replacement attacks SIMs. to take control of it phone number and even disable their built-in security mechanisms Windows before the main modules are downloaded, TrickBot is fully integrated. ”

Bazar backdoor-Trickbot-trojan-campaigns

How does the TrickBot RDP Brute-Force Module work?

When TrickBot starts executing, it creates a folder containing the encrypted payloads and associated configuration files, which include a list of command-and-control (C2) servers that the Plugin to retrieve the commands to be executed.

According to Bitdefender, the rdpScanDll plugin shares the configuration file with another module called "vncDll" while using a standard format URL to communicate with new C2 servers.

While the "check" function checks for an RDP connection from the target list, the "trybrute" function attempts a brute force operation on the selected target using a predefined list of usernames and passwords obtained from the endpoint "/ rdp / names ”/ Rdp / dict“ respectively.

The "brute mode", according to the researchers, appears to be still in development. Not only does it include a set executable functions not called, but the mode "does not retrieve the user list, causing the plugin to use null passwords and usernames for authentication in the target list".

Once the initial list of targeted IPs collected through "/ rdp / domains" is exhausted, the plugin retrieves another set of new IP using a second “/ rdp / over” endpoint.

The two lists, which include 49 and 5.964 IP addresses, included goals found in the USA and Hong Kong and cover telecommunications, education, finance and scientific research.

A story of evolving possibilities

Scattered through e-mail phishing campaigns, TrickBot began its life as a banking Trojan in 2016, facilitating financial theft. It has since evolved to deliver other types of malware, including the infamous ransomware Ryuk, act as an information thief, knit Bitcoin wallets, and collect emails and credentials.

The malspam campaigns delivered by TrickBot use the name the recipient may know, such as invoices from accounting and finance companies.

Emails usually include an attachment, such as a Microsoft Word or Excel document, which, when opened, will prompt the user to enable them. macros - thus executing a VBScript to execute a script PowerShell to download malware.

TrickBot also drops as a secondary payload from other malware, most notably the Emotet botnet-based spam campaign. To be persistent and avoid detection, the malware has been found to create a scheduled task and service and even disable and delete Windows Defender antivirus.

This led Microsoft to develop a Tamper protection feature to protect against malicious and unauthorized changes to security features last year.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Among Us: players were hit by a spam attack

InnerSloth, creator of the popular game Among Us, faced an attack that affected its players last week. More specifically, some ...

Data breach in a law firm exposes data of Google employees

Immigration law firm Fragomen, Del Rey, Bernsen & Loewy, LLP revealed that it suffered a data breach that led to the leakage of personal data ...

How to install a .watchface file on Apple Watch

The Apple Watch lets you customize the faces of the watch to display all kinds of useful information. But did you know ...

The five biggest data breaches of the 21st century

Data is becoming more and more sought after as our daily lives become more digitized. The technology giants that monopolize data are ...

Microsoft is limiting the availability of Windows 10 20H2

Microsoft is currently restricting the availability of Windows 10 20H2 to provide all users who want to ...

How to enable the new Chrome Read more feature

The latest version of Google Chrome browser, v86, released earlier this month, contains a secret feature called Read ...

How to choose a custom color for the Start menu

Starting with the October 2020 update, Windows 10 is the default on a theme that removes bright colors from ...

NASA telescope discovers drinking water on the moon

Eleven years ago, a spacecraft changed our view of the moon forever. The data collected by ...

Microsoft: Enhances password spray attack detection capabilities

Microsoft has significantly improved the ability to detect password spray attacks in the Azure Active Directory (Azure AD) and has reached the point ...

How to prevent companies from finding our phone number

In the age of advertising, the more user information is known the more convenient it is for companies. And in particular, the ...