Vulnerabilities / Threats

7/28/2017
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Wannacry Inspires Worm-like Module in Trickbot

The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services com, says Flashpoint.

The relative success that the authors of the WannaCry and NotPetya ransomware samples had in distributing their malware using a worm-like propagation method appears to be inspiring others to follow the same tack.

Security vendor Flashpoint this week reported discovering a new version of the Trickbot banking Trojan featuring a worm propagation module. The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services company.

Once the malware infects a system it is designed to spread locally on the network via Server Message Block (SMB) shares. The new propagation module is rigged to scan an infected domain for vulnerable servers and computers via the NetServerEnum Windows API and Lightweight Directory Access Protocol (LDAP) enumeration.

So far, there has been no evidence of the modified version of Trickbot actually spreading via SMB shares. This suggests that the malware authors have not fully implemented the capability yet, Flashpoint security researcher Vitali Kremez, wrote in a blog this week.

According to Kremez, it is likely that the malware authors are testing how to equip Trickbot for lateral movement within a local area network with the goal of infecting more computers and co-opting them into a botnet.

News of the new worm-like module in Trickbot comes just days after Flashpoint warned that Trickbot, for the first time, was being used to target and infect customers of U.S. banks and financial institutions. Though Trickbot has been around since mid-2016 it has only targeted victims outside the U.S.

But since around the middle of July a new Trickbot spam campaign powered by the notorious Necurs botnet has begun targeting users in the US, United Kingdom, New Zealand, Canada, Denmark and several other countries.

The Necurs botnet is one of the world's largest botnets with up to one million infected Necurs bots being active at any time. The botnet has been around for several years and has been used to deliver a wide variety of malware. Recently it was tweaked to add a new component that allows it to be used for launching denial of service attacks.

Since July 17, there have been at least three Necurs botnet-powered spam waves that included Trickbot as the final payload, Flashpoint said.  The initial spam wave contained a spam email with a malicious Windows Script File attachment that purported to be from an Australian telecommunications company. More recent spam mails have evolved and involve spam emails with malicious macro-laden documents as attachments.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: New camera 2FA closed loop!
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20050
PUBLISHED: 2018-12-10
Mishandling of an empty string on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via the ONVIF GetStreamUri method and GetVideoEncoderConfigurationOptions method.
CVE-2018-20051
PUBLISHED: 2018-12-10
Mishandling of '>' on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via certain ONVIF methods such as CreateUsers, SetImagingSettings, GetStreamUri, and so on.
CVE-2018-20029
PUBLISHED: 2018-12-10
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
CVE-2018-1279
PUBLISHED: 2018-12-10
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on ...
CVE-2018-15800
PUBLISHED: 2018-12-10
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.