Attackers Added ScreenLocker Module to TrickBot Malware

Delaware, USA – March 22, 2018 – Treat actors behind TrickBot banking trojan continue to modify this malware in search of the new opportunities of monetization. Researchers from Webroot company discovered and analyzed the latest modification of the virus, which drops additional ScreenLocker module on the victim’s computer. The module itself is still under development, but from the code analysis it can be seen that adversaries plan to use it in attacks on corporate networks where the use of TrickBot as a banking trojan is inefficient. The new module is used for network lateral movement using EternalRomance exploit and ScreenLocker deployment. To ensure persistence on infected systems, adversaries plan to use reflective DLL injection. ScreenLocker functions will only be deployed after successful lateral movement throughout an infected network.

The authors constantly develop new features for TrickBot banking trojan. The malware received lateral movement capabilities in the middle of 2017 and after that it was used primarily as a loader for other banking trojans. The latest findings show that adversaries organize a new campaign. To detect the activity of this malware and attempts to distribute it over the network, you can use APT Framework, which allows you to monitor the company’s infrastructure constantly and notifies about any traces of malware.