TrickBot Now Delivers PowerTrick Post-Exploitation Toolkit

Delaware, USA – January 10, 2020 – TrickBot authors continue to develop post-exploitation tools to spread laterally across networks of high-profile targets. Just a month ago, experts discovered Anchor malware which is used as an attack framework for enterprise environments and to which TrickBot gang provides access to both ordinary cybercriminals and state-sponsored cyberespionage groups. Right now, SentinelOne researchers analyzed PowerShell-based backdoor called PowerTrick, which is used in corporate networks for both lateral movement and Anchor malware delivery. In addition, the researchers found that PowerTrick also installs ‘More_Eggs’ JavaScript backdoor and is capable of executing direct shell commands. “The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks.”

During reconnaissance and target profiling, adversaries also use other PowerShell tools. More often than other ‘instruments’, researchers found the use of ‘letmein.ps1’ which is a Powershell stager for open-source exploitation framework Metasploit. After successful profiling, adversaries delete the “unnecessary” tools and deliver final payload.

Content to detect TrickBot malware available on Threat Detection Marketplace:
TrickBot behaviour (Privilege escalation attack) – https://tdm.socprime.com/tdm/info/hnFSkaXV5vHs/
Trickbot Malware (YARA Rules) – https://tdm.socprime.com/tdm/info/QNIEMQiE0ZwF/
TrickBot Malware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/s06qUuUPHuOY/