TrickBot Update Makes Malware Harder to Detect: ReportUpdated Module Runs on System Memory, Leaving Little Trace
The developers behind TrickBot malware have updated it to run from an infected device's memory to help better avoid detection, according to researchers at Palo Alto Networks' Unit 42.
Since the start of the COVID-19 pandemic, researchers at Microsoft have noted an increase in TrickBot infections, especially through phishing emails that used the pandemic as a lure to get victims to click on malicious attachments (see: COVID-19 Phishing Emails Mainly Contain TrickBot: Microsoft).
When researchers first spotted TrickBot in 2016, the malware functioned as a banking Trojan. But it has since morphed into an information stealer and backdoor. In addition, TrickBot is now combined with other malware, such as Emotet, to help deliver ransomware, including Ryuk (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').
The Unit 42 researchers found that the latest update to TrickBot changes one of the modules that the malware uses to propagate from an infected Microsoft Windows device to a domain controller. The previous module, called "mworm," has been replaced by a new module that the researchers dubbed "nworm.”
This new module runs on the domain controller memory instead of the hard disk drive and allows the TrickBot malware to disappear when the infected device is rebooted or shutdown, leaving no trace of the malicious code on the targeted domain controller. This makes it more difficult for security tools to detect and analyze, Unit 42 researchers note.
"Running malware from RAM is one of many fileless malware techniques that has been reported before," Bradley Duncan, a threat intelligence analyst for Unit 42, tells Information Security Media Group. "TrickBot has been evolving in that direction for a while, especially with the lack of module artifacts on Windows 10 hosts. We see this as just a gradual evolution."
While this version of TrickBot has been spotted in the wild, Unit 42 does not know of any successful attacks that have used it.
How It Works
Unit 42 researchers discovered the latest version of TrickBot when they examined an infected Windows 7 device in their lab.
In a typical TrickBot infection, the malware will scan a device and then download the modules that are needed to maintain persistence within the network and perform malicious activities, the researchers say.
Before the latest changes in the malware, TrickBot found a device with Windows Active Directory and downloaded the mworm module to infect the domain controller. The malware looked to exploit vulnerabilities in Windows Server Message Block protocol (see: Microsoft Patches Wormable SMBv3 Flaw).
These older types of domain controller infections could be spotted by security tools. With the addition of the new nworm module, however, the TrickBot developers now launch the domain controller infection from memory, making it more difficult to spot, according to Unit 42.
The nworm module also provides a layer of encryption to help shield the malware from security tools, the researchers note.
"This method of infection works well for devices that don't restart often, like servers, but they wouldn't be as useful to attackers who are targeting other systems and have different objectives in mind," Duncan says. "This method of infection leaves no artifacts on the system disc drive. As a tradeoff, infections caused by TrickBot's new nworm module do not appear to survive a reboot or shutdown, but that makes it harder to detect because no clues are left behind to analyze."
In addition to TrickBot, Microsoft and Unit 42 have also noticed an increase in other information stealers, such as AgentTesla, which are spread using malicious attachments in phishing emails that have a COVID-19 theme.
Managing Editor Scott Ferguson contributed to this report.