Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/28/2017
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Wannacry Inspires Worm-like Module in Trickbot

The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services com, says Flashpoint.

The relative success that the authors of the WannaCry and NotPetya ransomware samples had in distributing their malware using a worm-like propagation method appears to be inspiring others to follow the same tack.

Security vendor Flashpoint this week reported discovering a new version of the Trickbot banking Trojan featuring a worm propagation module. The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services company.

Once the malware infects a system it is designed to spread locally on the network via Server Message Block (SMB) shares. The new propagation module is rigged to scan an infected domain for vulnerable servers and computers via the NetServerEnum Windows API and Lightweight Directory Access Protocol (LDAP) enumeration.

So far, there has been no evidence of the modified version of Trickbot actually spreading via SMB shares. This suggests that the malware authors have not fully implemented the capability yet, Flashpoint security researcher Vitali Kremez, wrote in a blog this week.

According to Kremez, it is likely that the malware authors are testing how to equip Trickbot for lateral movement within a local area network with the goal of infecting more computers and co-opting them into a botnet.

News of the new worm-like module in Trickbot comes just days after Flashpoint warned that Trickbot, for the first time, was being used to target and infect customers of U.S. banks and financial institutions. Though Trickbot has been around since mid-2016 it has only targeted victims outside the U.S.

But since around the middle of July a new Trickbot spam campaign powered by the notorious Necurs botnet has begun targeting users in the US, United Kingdom, New Zealand, Canada, Denmark and several other countries.

The Necurs botnet is one of the world's largest botnets with up to one million infected Necurs bots being active at any time. The botnet has been around for several years and has been used to deliver a wide variety of malware. Recently it was tweaked to add a new component that allows it to be used for launching denial of service attacks.

Since July 17, there have been at least three Necurs botnet-powered spam waves that included Trickbot as the final payload, Flashpoint said.  The initial spam wave contained a spam email with a malicious Windows Script File attachment that purported to be from an Australian telecommunications company. More recent spam mails have evolved and involve spam emails with malicious macro-laden documents as attachments.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18954
PUBLISHED: 2019-11-14
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
CVE-2019-3640
PUBLISHED: 2019-11-14
Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
CVE-2019-3661
PUBLISHED: 2019-11-14
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
CVE-2019-3662
PUBLISHED: 2019-11-14
Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
CVE-2019-3663
PUBLISHED: 2019-11-14
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.