A new module for TrickBot banking Trojan was recently discovered that allows attackers to exploit compromised systems to launch brute-force attacks against selected Windows systems running a RDP (Remote Desktop Protocol) Internet connection.
The module, named "rdpScanDll", was discovered on January 30 and is said to be still in the environment, Bitdefender said in a report published in The Hacker.
According to researchers, the rdpScanDll brute-forcing module has so far attempted to target 6.013 RDP servers owned by businesses in the field. telecommunications, education and finance in the US and Hong Kong.
Creators of TrickBot malware specialize in the release of new modules and versions of Trojan in an effort to expand and improve its capabilities.
“The flexibility of module design has made TrickBot a very sophisticated and sophisticated malware capable of a wide range of malicious activities", Said the researchers.
“Add-ons for hiding sensitive OpenSSH and OpenVPN data in units that perform replacement attacks SIMs. to take control of it phone number and even disable their built-in security mechanisms Windows before the main modules are downloaded, TrickBot is fully integrated. ”
How does the TrickBot RDP Brute-Force Module work?
When TrickBot starts executing, it creates a folder containing the encrypted payloads and associated configuration files, which include a list of command-and-control (C2) servers that the Plugin to retrieve the commands to be executed.
According to Bitdefender, the rdpScanDll plugin shares the configuration file with another module called "vncDll" while using a standard format URL to communicate with new C2 servers.
While the "check" function checks for an RDP connection from the target list, the "trybrute" function attempts a brute force operation on the selected target using a predefined list of usernames and passwords obtained from the endpoint "/ rdp / names ”/ Rdp / dict“ respectively.
The "brute mode", according to the researchers, appears to be still in development. Not only does it include a set executable functions not called, but the mode "does not retrieve the user list, causing the plugin to use null passwords and usernames for authentication in the target list".
Once the initial list of targeted IPs collected through "/ rdp / domains" is exhausted, the plugin retrieves another set of new IP using a second “/ rdp / over” endpoint.
A story of evolving possibilities
Scattered through e-mail phishing campaigns, TrickBot began its life as a banking Trojan in 2016, facilitating financial theft. It has since evolved to deliver other types of malware, including the infamous Ryuk ransomware, act as an information thief, knit Bitcoin wallets, and collect emails and credentials.
The malspam campaigns delivered by TrickBot use the name the recipient may know, such as invoices from accounting and finance companies.
Emails usually include an attachment, such as a Microsoft Word or Excel document, which, when opened, will prompt the user to enable them. macros - thus executing a VBScript to execute a script PowerShell to download malware.
TrickBot also drops as a secondary payload from other malware, most notably the Emotet botnet-based spam campaign. To be persistent and avoid detection, the malware has been found to create a scheduled task and service and even disable and delete Windows Defender antivirus.
This led Microsoft to develop a Tamper protection feature to protect against malicious and unauthorized changes to security features last year.