TrickBot Group Adds New PowerShell-Based Backdoor to Arsenal

PowerTrick is sort of a custom-version of PowerShell Empire and can be used to download additional malware, SentinelOne says.

Russias infamous TrickBot organized cybercrime group has a new trick up its sleeve for high-value targets — a custom fileless PowerShell-based backdoor designed for stealth, persistence, and reconnaissance inside infected networks.
SentinelOne, which has been tracking the malware, has dubbed it PowerTrick. In a blog post Thursday, the vendor described the new malware as having similar capabilities as the PowerShell Empire open source penetration-testing tool but being harder to detect because it is custom developed.
Vitali Kremez, lead cybersecurity researcher at SentinelOnes SentinelLabs, says PowerTrick is a fileless post-exploitation tool that TrickBot operators are using to stealthily drop additional malware on systems belonging to organizations the group perceives as being of high value.
The malware is being used to enable mass data collection, reconnaissance, persistence, and lateral movement on infected networks. We assess with high confidence at least some of the initial PowerTrick infections are being kicked off as a PowerShell task through normal TrickBot infections, Kremez says.
TrickBot is a Russia-based group that initially specialized in bank fraud activities but over the years has increasingly begun targeting enterprise organizations as well. The group is believed to have broken into numerous enterprise networks and gathered a massive amount of information on each of them, including credentials, network, and domain controller data.
In recent years, the group has been selling access to that data to other financially motivated cybercrime groups and more recently to advanced persistent threat (APT) groups such as North Koreas Lazarus operation.
According
to SentinelOne, TrickBot has processed and indexed data on victims it has compromised in such a manner that its customers can quickly identify high-value targets or the least-protected organizations.
In addition to selling access to compromised networks, TrickBot in recent years has also let other vetted groups use its custom malware to carry out attacks and distribute other malware. One example is Anchor, a collection of custom and existing tools for everything from post-exploit malware installation to cleanup and removal of all evidence of a break-in. Like many other cybercrime and APT groups, TrickBot also has extensively leveraged legitimate admin tools and services — notably PowerShell, Metasploit, Cobalt Strike, and PowerShell Empire — in its post-exploit operations.

PowerTrick
is a private solution that the TrickBot group leverages for the deployment of additional targeted malware, Kremez says. Similar to how PowerShell Empires stager component works, PowerTrick can be used to download a larger, more powerful backdoor for executing other commands such as those for harvesting credentials, moving laterally or for installing more backdoors. TrickBot Anchor and another backdoor called TerraLoader are two examples of malware that attackers are deploying via PowerTrick, Kremez says.
The end goal of the PowerTrick backdoor is to bypass restrictions and security controls and exploit strongly protected and secure high-value networks. Like its other malware products, TrickBot appears to have made PowerTrick available to other cybercrime and APT groups as well, according to Kremez.
SentinelLabs has developed a mock command-and-control panel that organizations can use to test for PowerTrick related infections. The security vendor has also released indicators of compromise related to the threat.
Related Content:
Trickbot Operators Now Selling Attack Tools to APT Actors
TrickBot Expands in Japan Ahead of the Holidays
New Trickbot Variant Uses URL Redirection to Spread
6 Security Team Goals for DevSecOps in 2020
Check out The Edge, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
In App Development, Does No-Code Mean No Security?

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
TrickBot Group Adds New PowerShell-Based Backdoor to Arsenal