The TrickBot malware has added a new feature: A module called rdpScanDll, built for brute-forcing remote desktop protocol (RDP) accounts.
According to BitDefender, the module has been used in campaigns against telecom, education and financial services industry targets in the United States and Hong Kong, mainly. RDP is Microsoft’s protocol for gaining remote access to another computer or server, often used by tech support for troubleshooting or by telecommuting workers.
TrickBot is a malware strain that has been around since 2016, starting life as a banking trojan. Over time, it has gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps. The malware has also evolved to send spam to victim email lists, adopt new detection evasion methods and act as a delivery vehicle for other malware, such as Emotet. Most recently, the operators behind the malware were seen to have changed up their anti-analysis methods.
Its latest enhancement, the rdpScanDll module, is still under active development, according to BitDefender. The brute-force operations have been carried out on a list of targets that are defined and sent by the attackers – the campaign is not a “spray-and-pray” effort, the firm noted. During its analysis of pScanDll module, BitDefender gained visibility into several updates for the lists of targeted IPs – in all, these contained more than 6,000 IP addresses.
Click to Enlarge
“The TrickBot executable will download the plugin and its configuration file from one of the available online command-and-control servers (C2s), containing a list of servers with whom the plugin will communicate to retrieve commands to be executed,” according to BitDefender, writing in a posting on Wednesday.
TrickBot will load the plugin, and then communicates with the C2 to determine its next moves. According to the BitDefender analysis, the C2 tells it what kind of attack the module should use (there are three: Check, trybrute and brute). It also commands the module on which ports to target (RDP port 3389 is the default); how frequently to report different statuses back to the server (which port pairs are online or offline, and what usernames/passwords have worked); which port pairs to move on to when the first target list is exhausted; and which passwords and usernames to try in the brute-force process.
In terms of attack methods, the check mode should check for RDP connection on the list of targets (both /rdp/domains and /rdp/over).
“To do that, it first retrieves the frequency, then it retrieves and checks the list of targeted IPs from [the C2 command] ‘/rdp/domains,’ and finally it retrieves and checks the list of targeted IPs from [the C2 command] ‘/rdp/over,'” according to BitDefender researchers. “During testing, we found the plugin retrieves and checks the IP list from /rdp/over repeatedly.”
This latter aspect actually limits how many victims it can target at any one time: If the plugin is deployed on a larger number, the repeated checks could flood the C2 server with requests.
The trybrute mode meanwhile will perform a brute-force operation on the list of targeted IPs returned by the /rdp/domains command, and later on the one returned by /rdp/over command, using the usernames from “/rdp/names” and the passwords from ” rdp/dict” commands.
And finally, brute mode seems to be still in development.
“Besides the inclusion in the executable of a set of functions that aren’t called, the attack mode brute seems broken,” according to the analysis. “The brute attack mode doesn’t fetch the username list, causing the plugin to use null passwords and usernames to authenticate on the targets list.”
“The new rdpScanDll module may be the latest in a long line of modules that have been used by the TrickBot trojan, but it’s one that stands out because of its use of a highly specific list of IP addresses,” according to the analysis. “While the module seems to be under development, as one attack mode seems broken, newer versions of rdpScanDll will likely fix this and potentially add new ones.”
Incidentally, in the same analysis, BitDefender performed an inventory of TrickBot C2s and found that the operation shows zero signs on slowing down. In all, there were 2,926 C2s, along with 556 servers dedicated to downloading new plugins. There were also 22 IPs serving both roles.
“The dynamics of the infrastructure can be defined by a rough statistic of around 100 new IPs added each month with each IP having an average lifetime of about 16 days,” according to the analysis. “The threat actor prefers infrastructure from Russia.”
Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.
