TrickBot malware shows no sign of slowing down: new VNC module used

Notorious cybercrime gang is working to revamp spying and data gathering methods

Malware that spies on victims renewed its activities.

Cybersecurity researchers shared the latest details on threatening TrickBot malware,^[1] making it clear that the Russia-based transnational cybercrime group is working behind the scenes to revamp its attacks on infrastructure in response to recent counter efforts from law enforcement^[2].

Experts and researchers believe that new capabilities of the malware could be used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between [command-and-control] servers and victims. In this way, attacks would be difficult or even impossible to spot. This is a huge improvement and increase in sophistication of the cybercrime group's tactics.

It is also a tell-tell sign that group is in no way slowing down its criminal actions even despite run-ins with law enforcement. A notorious group and its operations were almost totally dismantled last year but recent comeback could be a great example of the seemingly intractable nature of cybercrime^[3].

The Russian-speaking group known as TrickBot shares the very same name with the malware that they’re responsible for creating and distributing has built up its infrastructure and seems to be preparing for some nefarious new campaign.

TrickBot has evolved: comes back with the new module

Cybercrime is always evolving entity as it seems in most cases. In the case of TrickBot, it is easy to assume that it has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware. It also infects consumer appliances such as DSL routers, and its criminal operators constantly rotate their IP addresses and infected hosts to make disruption of their crime as difficult as possible.

Infected computers' networks, commonly referred to as a botnet (short for “robot network”) is a huge cyber threat. It enables attackers to perform large-scale actions that were previously impossible with malware. Since botnets remain under the control of a remote attacker, infected machines can receive updates and change their behavior on the fly^[4].

As of right now, TrickBot is developing an updated version of a module called “vncDll” that it employs against select high-profile targets for monitoring and intelligence gathering. The new version has been named “tvncDll.”

The new module is designed to communicate with one of the nine command-and-control (C2) servers defined in its configuration file, using it to retrieve a set of attack commands, download more malware payloads, and exfiltrate gathered from the machine back to the server.

Companies take matters into their own hands to protect the cyber environment

Microsoft shared that they are replacing routers compromised with the TrickBot malware in Brazil and Latin America, hoping to squash an international hacking group. It's a precautionary move from a global company as TrickBot has been allegedly behind attacks on hospitals, schools, and governments, stealing login credentials and locking computer systems to demand payment^[5].

TrickBot, which mostly operates out of numerous places in Eastern Europe — including Russia, Ukraine, Belarus, and others — is known for modular malware with the same name. TrickBot originated as a banking credential theft Trojan but is now considered a sophisticated and capable system^[6].