Cybersecurity researchers have opened the lid to the ongoing resurgence of the malicious malware Trickbot and made clear that a Russia-based transnational cybercrime group is working behind the scenes to improve its offensive infrastructure in response to recent law enforcement opposition.
BitDefender said in a technical statement that the newly discovered capability [command-and-control] about victims will be used to monitor victims by using secret communication protocols to hide data transmission between servers and victims. Information has been collected.
The researchers added, “Trickbot shows no indications of stopping down.”
Botnets are created when hundreds or thousands of hacked devices connect to networks operated by criminal operators. Which are then widely used to launch network denial attacks to kill critical businesses and infrastructure with fake traffic to take them offline. However, with control over these devices, malicious participants can also use botnets to spread malware and spam. And maybe to spread file-encrypting ransomware on infected computers too.
Trickbots are no different. The notorious cyber-crime gang behind the operation was called the Wizard Spiders. These spiders have experience running infected machines to steal sensitive information, spin sideways on networks. And even load other malware like ransomware, adding new functionality, to increase effectiveness.
Attack Overview
“TrickBot has evolved to take the sophisticated infrastructure that compromises third-party servers and use it to host malware”. Lumens Black Lotus Labs announced last October. “It infects consumer equipment like as DSL routers, and its criminal operators change their IP addresses and infected hosts on a regular basis to make stopping their operations as difficult as possible.”
The botnet has survived two download attempts by Microsoft and US Cyber command. With operators developing a firmware manipulation component that allows hackers to load backdoors into a single expandable firmware interface (UEFI) for antivirus detection. And Software – Avoid updates or even complete uninstall and install reset computer operating system.
Bitdefender has now determined that threat actors are actively developing an updated version of a module called “vncDll” since it uses against high-profile targets selected for monitoring and intelligence gathering. The new version has called “tvncDll”.
The new module has designed to communicate with one of the nine management and control (C2) servers. Moreover, the servers specified in its configuration file to obtain a series of attack commands, download more malware. And also recover the data collected by the machine to obtain the computer server. The researchers also said they had identified a “filtering tool” that attackers used to interact with victims via C2 servers.
While efforts to lubricate the gang’s operations may not be entirely successful. Moreover, Microsoft told The Daily Beast that they have been working with Internet Service Providers (ISPs). They are working to replace door-to-door routers used by the malicious Trickbot Software to have been compromising in Brazil and Latin America. And that effectively shut down the Trickbot infrastructure in Afghanistan.
