The Trickbot trojan is in resurgence mode, with its operators filling out infrastructure globally and releasing an updated version of its “vncDll” module, used for monitoring and intelligence gathering, researchers said.
According to an analysis this week from Bitdefender, there has been “a significant increase in [Trickbot] command-and-control (C2) centers deployed around the world,” in the wake of an October takedown by Microsoft and partners. Microsoft was able to disrupt the botnet that spreads the malware, but even at the time, researchers warned that the operators will quickly try to revive their operations.
That appears to be happening, and not just on the infrastructure side: Researchers said that Trickbot’s espionage module is under active development, with a frequent update schedule that applies improved functionality and bug fixes.
Trickbot’s VNC Module Set-Up
The latest version of the spy module makes use of virtual network computing (VNC): hence its name, vncDll. It essentially sets up a virtual desktop that mirrors the desktop of a victim machine and sets about using it to steal information. It’s been circulating since late May, researchers said.
When first installed, vncDll uses a custom communications protocol to transmit information to and from one of the up to nine C2 servers that are defined in its configuration file. The module will use the first one to which it can connect.
“The port used to communicate with the servers is 443, to avoid arousing the suspicion of anyone observing the traffic,” according to the Bitdefender analysis. “Although traffic on this port normally uses SSL or TLS, the data is sent unencrypted.”
The first order of business is to announce to the C2 server that it’s been installed, and it then waits to receive a set of commands. The C2 connects to an attacker-controlled client, which is a software application that the attackers use to interact with the victims through the C2 servers. It allows the attackers to view a list of victims and their status.
The client, using a unique bot ID for the victim, will direct the C2 to reply to the module with one of at least three possible commands, according to Bitdefender:
- “TS5T,” which the module will echo back to the C2 server and wait for another command. This is used as a keep-alive message while no attacker is requesting access to the victim;
- “LliK,” which will have the module self-terminate;
- Any other command, which will prompt the module to create a new desktop that is fully controlled by the module and contains a custom interface for the attackers (via the C2 and client viewer). If the module isn’t able to create the alternative desktop, it closes the connection.
“The alternate desktop is created and fully controlled by the module, copying the icons from the desktop, creating a custom taskbar for managing its processes and creating a custom right click menu, containing custom functionality,” according to Bitdefender.
Trickbot’s Normal Operation Mode for Espionage
In the normal operation mode, the module first sends screenshots of the alternative desktop and any clipboard data to the C2, which the attackers use to generate window messages that carry out various actions on the virtual desktop, according to the analysis.
“The window messages are processed as expected, simulating mouse clicks or key presses on the virtual desktop that was created,” researchers explained. “Most of the options just open programs from the machine, but through Cmd.exe the threat actors can perform several high-impact actions leveraging PowerShell.”
These include:
- Downloading new payloads to further propagate the attack inside the network;
- Opening various documents or the email inbox;
- Uploading data on the machine to the C2.
The module also creates a native browser that adds a password-dumping functionality to the mix. Researchers said that this part is in active development, with multiple weekly updates.
“By default, it creates its own browser using the OLE automation feature for Internet Explorer,” they said. “The buttons on the left of the navigation bar are supposed to be used for password dumping, and should work for Chrome, Firefox, Opera and Internet Explorer, but this functionality properly works for Internet Explorer only.”
The researchers added that password dumping for Firefox appeared to be in the works, but doesn’t fully function yet – a state of affairs they expect to change.
Surging Back After Takedown
Despite the takedown attempt, Trickbot is more active than ever,” Bitdefender researchers concluded.
And indeed, the vncDll module is only the latest evolution for TrickBot, which started out as a pure-play banking trojan before evolving into a sophisticated (and common) modular threat known for delivering a range of follow-on payloads, including ransomware. Since the October takedown, it’s been spotted adding even more functionality, including adding man-in-the-browser (MitB) capabilities to its module for stealing online banking credentials and implementing a rare bootkit functionalty designed to inspect the UEFI/BIOS firmware of targeted systems.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.