Wannacry Inspires Worm-like Module in Trickbot

  /     /     /  
Publicated : 22/11/2024   Category : security


Wannacry Inspires Worm-like Module in Trickbot


The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services com, says Flashpoint.



The relative success that the authors of the WannaCry and NotPetya ransomware samples had in distributing their malware using a worm-like propagation method appears to be inspiring others to follow the same tack.
Security vendor Flashpoint this week reported discovering a new version of the Trickbot banking Trojan featuring a worm propagation module. The malware is being primarily distributed via email spam in the form of spoofed invoices from an international financial services company.
Once the malware infects a system it is designed to spread locally on the network via Server Message Block (SMB) shares. The new propagation module is rigged to scan an infected domain for vulnerable servers and computers via the NetServerEnum Windows API and Lightweight Directory Access Protocol (LDAP) enumeration.
So far, there has been no evidence of the modified version of Trickbot actually spreading via SMB shares. This suggests that the malware authors have not fully implemented the capability yet, Flashpoint security researcher Vitali Kremez, wrote in a
blog
this week.
According to Kremez, it is likely that the malware authors are testing how to equip Trickbot for lateral movement within a local area network with the goal of infecting more computers and co-opting them into a botnet.
News of the new worm-like module in Trickbot comes just days after Flashpoint
warned
that Trickbot, for the first time, was being used to target and infect customers of U.S. banks and financial institutions. Though Trickbot has been around since mid-2016 it has only targeted victims outside the U.S.
But since around the middle of July a new Trickbot spam campaign powered by the notorious Necurs botnet has begun targeting users in the US, United Kingdom, New Zealand, Canada, Denmark and several other countries.
The Necurs botnet is one of the worlds largest botnets with up to one million infected Necurs bots being active at any time. The botnet has been around for several years and has been used to deliver a wide variety of malware. Recently it was tweaked to add a new component that allows it to be used for launching denial of service attacks.
Since July 17, there have been at least three Necurs botnet-powered spam waves that included Trickbot as the final payload, Flashpoint said.  The initial spam wave contained a spam email with a malicious Windows Script File attachment that purported to be from an Australian telecommunications company. More recent spam mails have evolved and involve spam emails with malicious macro-laden documents as attachments.
Related content:
Petya Or Not? Global Ransomware Outbreak Hits Europes Industrial Sector, Thousands More
WannaCry: Ransomware Catastrophe or Failure?
NSA Tools Behind WannaCry Being Used In Even Bigger Attack Campaign
5 Security Lessons WannaCry Taught Us the Hard Way
 

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Wannacry Inspires Worm-like Module in Trickbot