Go to listing page

Trickbot Thrives Again with Virtual Network Computing Module

Trickbot Thrives Again with Virtual Network Computing Module
Trickbot malware was recently observed adding Zeus flavor to its modules. It was recently seen plugging new Virtual Network Computing (VNC) module that helps an actor monitor high-profile targets and gathers intelligence from them.

Trickbot's recent update

As a recent improvement, Trickbot maintainers have introduced an update to its VNC module (vncDll) used for remote control over infected systems. Furthermore, there has been an increase in the C2 servers deployed across the globe by the attackers.
  • Bitdefender researchers stated that this new version of Trickbot, called tvncDll, was used to compromise high-profile targets.
  • The tvncDll module, which is reportedly still under development, allows actors to scan victims’ systems and steal sensitive data.
  • The attackers have used a software application called VNCView to connect to victims’ computers.
  • It uses a custom communication protocol and reaches the C2 server through one of nine proxy IP addresses to target the victims behind firewalls.

Work in progress

Several new findings indicate that the new modules are a work in progress.
  • The group behind tvncDll has set a frequent update schedule, with the regular addition of new functionalities and bug fixes.
  • In addition, the VNC component has an under-development function called native- browser, which aims to steal passwords from Google Chrome, Internet Explorer, Mozilla Firefox, and Opera. Currently, it is active only for Internet Explorer.

Trickbot's uprising

  • According to Bitdefender, the number of C2 servers has jumped from around 40 in January to more than 140 in June. The majority of the C2 servers are located in North America (54).
  • According to Check Point, Trickbot has impacted 7% of organizations across the world, followed by the XMRig cryptocurrency miner and the Formbook info stealer, which affected 3% of organizations.

Summing up

Trickbot’s activities prove how dangerous it can be even in its resurgence phase. The vncDll module is only one of the several steps in the evolution of TrickBot. The frequent developments in Trickbot’s lifecycle and an accelerated rate of propagation highlight the actual massive threat it poses.

Cyware Publisher

Publisher

Cyware