Anti-Malware Research Whitepapers

New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong

New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong

Bitdefender researchers have discovered a new TrickBot module (rdpScanDll) built for RDP bruteforcing operations on select targets. The new module was discovered on January 30 and, based on the IP addresses it targets, victims seem to be US and Hong Kong-based, predominantly in the telecom industry.

While TrickBot is a Trojan that has been around since 2016, it started out as a credential-harvesting threat mostly focusing on e-banking, while its plugin-based design has made it much more than just a threat focused on financial data theft. Security companies and researchers have previously analyzed a wide range of modules, proving that the Trojan is still under active development and undergoing constant “feature upgrades”.

Key Findings:

rdpScanDll:
• New module that bruteforces RDP for a specific list of victims
• Still in development, as the module features a broken attack mode
• Targets mostly in telecom, education, and financial services in the United States and Hong Kong

TrickBot:
• Lateral movement modules receive the most updates
• Dynamic C&C infrastructure, mostly based in Russia.
• Over 100 new C&C IPs added each month, with an average lifetime of about 16 days

The flexibility allowed by this modular architecture has turned TrickBot into a very complex and sophisticated malware capable of a wide range of malicious activities, as long as there is a plugin for it.

TrickBot has been mostly distributed through spam campaigns but it was also seen in cahoots with other threats. Distributed by the Emotet spam-sending botnet to deliver Ryuk ransomware, TrickBot operators have extended its capabilities into one of the most advanced malware delivery vehicles out there.

Bitdefender have kept a close eye on TrickBot and on January 30, 2020, our monitoring systems reported the delivery of a new module, performing bruteforce operations on a list of targets defined and sent by the attackers.

A complete analysis of the analyzed components can be found in the researcher paper available below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.

Download the whitepaper

About the author

Avatar

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

About the author

Radu Tudorica

Radu Tudorica

Radu TUDORICA is a security researcher at Bitdefender and he's based Iasi, Romania. Passionate about malware research, advanced persistent threats, and cybercrime investigations, his hobbies involve reverse engineering and taking hardware apart and putting it back together again.

About the author

Alexandru MAXIMCIUC

Alexandru MAXIMCIUC

Team Lead, Cyber Threat Intelligence Lab

Alexandru "Sasha" Maximciuc is a veteran security researcher with more than a decade of experience. His research is mostly focused on exploits, advanced persistent threats, cybercrime investigations, and packing technologies.

About the author

Cristina VATAMANU

Cristina VATAMANU

Senior Team Lead, Cyber Threat Intelligence Lab

Cristina Vatamanu is Senior Team Lead in the Cyber Threat intelligence Lab at Bitdefender. She is based in Iasi, Romania, and has more than 10 years of forensic work under her belt, being involved in malware analysis, cybercrime investigations, research projects for antimalware tools optimization. She graduated Computer Sciences and she has a PHD degree in machine learning used in hybrid models dedicated in detecting malicious programs.

Add Comment

Click here to post a comment