Cyber security researchers have opened the lid on the ongoing rise of dangerous people TrickBot malware, it is clear that the Russia-based transnational cybercrime group is working behind the scenes to overhaul its attack infrastructure in response to recent counter-efforts from law enforcement.
“The newly discovered capabilities are used to monitor and gather intelligence on victims, using special communication protocols to hide the transmission of data between [command-and-control] servers and victims – making attacks difficult to see, “Bitdefender said in a technical paper published Monday, which pointed to the group’s increasing tactical sophistication.
“Trickbot showed no signs of slowing down,” the researchers said.
Botnets are formed when hundreds or thousands of hacked devices are put into a network operated by a criminal operator, which is then often used to launch network-denial attacks to subvert critical businesses and infrastructure with fake traffic with the intent of dropping them offline. But by operating this device, malicious perpetrators can also use botnets to spread malware and spam, or spread file encryption ransomware on infected computers.
TrickBot is no different. The notorious cybercrime gang behind the operation – dubbed the Wizard Spider – has a track record of exploiting infected machines to steal sensitive information, swindle across networks, and even become loaders for other malware, such as ransomware, while continuing to improve their infection chain by adding modules with new functions to increase its effectiveness.
“TrickBot has evolved to use a complex infrastructure that compromises third -party servers and use it to limit malware,” Lumen’s Black Lotus Labs said last October. “It also infects consumer equipment such as DSL routers, and its crime handlers are constantly twisting their IP addresses and infected hosts to make interference with their crime as difficult as possible.”
The botnet has since survived two removal attempts by Microsoft and US Cyber Command, with operators developing a firmware intervention component that allows hackers to embed a backdoor in the Unified Extensible Firmware Interface (UEFI), making it possible to bypass antivirus detection, software updates, or even total removal and reinstallation of the computer operating system.
Now according to Bitdefender, the perpetrator is found to be actively developing the latest version of a module called “vncDll” that it uses against selected high -profile targets for monitoring and information gathering. The new version has been named “tvncDll.”
This new module is designed to communicate with one of the nine command-and-control (C2) servers specified in the configuration file, use it to fetch a set of attack commands, download more malware loads, and isolate those collected from the machine back to waitress. In addition, the researchers say they identified a “sighting device,” which the attacker used to interact with the victim through a C2 server.
While efforts to rock the gang’s operation may not be entirely successful, Microsoft told The Daily Beast that it is working with internet service providers (ISPs) to go door -to -door replacing routers compromised with Trickbot malware in Brazil and Latin America, and that it effectively dismantling the Trickbot infrastructure in Afghanistan.