The TrickBot gang has released the 100th version of the malware with new additional features that allow it to avoid detection. TrickBot is a malware that is usually installed through Phishing email or other malware. When installed on the target system, TrickBot moves "silently" on the victim's computer, while downloading other modules to perform various tasks.
These modules perform a variety of malicious activities, including of Active Directory Services theft one domain, the spread on a network, the screen lock, the theft of cookies and its passwords browser and OpenSSH key theft.
Microsoft, in collaboration with other companies, launched a coordinated attack on the TrickBot infrastructure last month, hoping the hacking gang would take some time to recover and return to the threat landscape. However, the gang is still active, as evidenced by the release of the 100th version of the malware.
According to BleepingComputer, the 100th version was discovered by Advanced Intel's Vitali Kremez, who found that cybercriminals added new features to TrickBot to make it more difficult to detect. With this version, TrickBot now introduces DLL to the legal Windows wermgr.exe (Windows Troubleshooting) executable directly from memory using code from the “MemoryModule” project. MemoryModule is a library that can be used to fully load a DLL from memory - without first saving it to disk.
According to Kremez, the malware then proceeds to DLL injection, using Doppel Hollowing or processing doppelganging, to avoid detection by security software.
It is clear that the TrickBot gang did not allow attack and the partial destruction of their infrastructure to hold them back, instead they continue to incorporate new features to prevent their malware from being detected. This means that TrickBot may become even more powerful and dangerous in its future attacks. Therefore, individuals and organizations must be prepared and very careful in the emails that open.