Delaware, USA – April 25, 2018 – Trickbot banking trojan almost went off the grid in 2017 but this year it is experiencing significant modifications and amplification with new modules. This week, Fortinet researchers analyzed the latest version of malware and found a new module that allows attackers to collect email addresses from victim systems by attacking the MS SQL Servers with legitimate libraries. Malware writes and runs sqlFinder submodule, which scans the network for all SQL servers visible from the infected system. Then the mailCollector submodule tries to connect to the found servers using Windows Authentication. If successful, the submodule finds email address lists and uploads to command & control servers.
Also, a month ago, researchers discovered Screenlocker module in Trickbot and suggested that it would be used to infect systems on networks where Trickbot is inefficient as a banking trojan. Analysis of the latest samples showed that this module is used to steal credentials on Windows 8 or later operating systems. Trickbot leverages it to force users to re-authenticate, and then it uses Mimikatz tool to dump credentials from the system memory.
The latest Trickbot malware modifications have been used in attacks for several weeks. The modular structure of the trojan makes it easy to modify it for the attackers’ purposes. You can detect the malicious activity of this version with your SIEM and Mimikatz Defense Framework, which tracks all attempts to use stolen credentials.