Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/28/2017
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Wannacry Inspires Worm-like Module in Trickbot

The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services com, says Flashpoint.

The relative success that the authors of the WannaCry and NotPetya ransomware samples had in distributing their malware using a worm-like propagation method appears to be inspiring others to follow the same tack.

Security vendor Flashpoint this week reported discovering a new version of the Trickbot banking Trojan featuring a worm propagation module. The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services company.

Once the malware infects a system it is designed to spread locally on the network via Server Message Block (SMB) shares. The new propagation module is rigged to scan an infected domain for vulnerable servers and computers via the NetServerEnum Windows API and Lightweight Directory Access Protocol (LDAP) enumeration.

So far, there has been no evidence of the modified version of Trickbot actually spreading via SMB shares. This suggests that the malware authors have not fully implemented the capability yet, Flashpoint security researcher Vitali Kremez, wrote in a blog this week.

According to Kremez, it is likely that the malware authors are testing how to equip Trickbot for lateral movement within a local area network with the goal of infecting more computers and co-opting them into a botnet.

News of the new worm-like module in Trickbot comes just days after Flashpoint warned that Trickbot, for the first time, was being used to target and infect customers of U.S. banks and financial institutions. Though Trickbot has been around since mid-2016 it has only targeted victims outside the U.S.

But since around the middle of July a new Trickbot spam campaign powered by the notorious Necurs botnet has begun targeting users in the US, United Kingdom, New Zealand, Canada, Denmark and several other countries.

The Necurs botnet is one of the world's largest botnets with up to one million infected Necurs bots being active at any time. The botnet has been around for several years and has been used to deliver a wide variety of malware. Recently it was tweaked to add a new component that allows it to be used for launching denial of service attacks.

Since July 17, there have been at least three Necurs botnet-powered spam waves that included Trickbot as the final payload, Flashpoint said.  The initial spam wave contained a spam email with a malicious Windows Script File attachment that purported to be from an Australian telecommunications company. More recent spam mails have evolved and involve spam emails with malicious macro-laden documents as attachments.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23381
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23374
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23375
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23376
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23377
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.