First discovered in 2016, TrickBot is an information stealer that provides backdoor access sometimes used by criminal groups to distribute other malware. TrickBot uses modules to perform different functions, and one key function is propagating from an infected Windows client to a vulnerable Domain Controller (DC). TrickBot currently uses three modules for propagation. As early as April 2020, TrickBot updated one of its propagation modules known as “mworm” to a new module called “nworm.” Infections caused through nworm leave no artifacts on an infected DC, and they disappear after a reboot or shutdown.
Other key differences of the new nworm module include:
- It retrieves an encrypted, or otherwise encoded binary, over network traffic that represents a TrickBot executable file (the old mworm module sent it as an executable file without any sort of encryption/encoding).
- A TrickBot infection caused by the new mworm module is run from system RAM and does not appear to remain persistent on an infected host.
- This is a much better method of evading detection on an infected DC.
TrickBot is a significant threat that has received high-profile coverage in recent years, and this is a notable evolution. This blog reviews TrickBot modules, and it covers characteristics of the new nworm module in greater detail.
Source: Palo Alto