The hackers behind TrickBot cybercrime have released the XNUMXth version of the malware, with additional features to prevent it from being detected.
TrickBot is usually installed via phishing emails or other malware. Once installed, TrickBot will run silently on the computer of the victim, while simultaneously downloading other modules to perform different tasks.
These modules perform a wide range of malicious activity, including stealing the Active database Directory Services of a domain, of their spread in a network, of locking οθόνης, της κλοπής των cookie και των κωδικών πρόσβασης του προγράμματος περιήγησης και της κλοπής κλειδιών OpenSSH .
TrickBot is known to complete an attack by giving access to the hackers behind ransomware Ryuk and Conti to make matters worse.
New features added to TrickBot v100
After Microsoft and its partners launched a coordinated attack on the TrickBot infrastructure last month, they hoped the hackers would take some time to recover.
Unfortunately, the TrickBot gang is still active, as evidenced by the release of the XNUMXth version of its malware.
This latest version was discovered by Vitali Kremez of Advanced Intel, who found that they added new features to make it more difficult to detect.
With this version, TrickBot now inserts its own dll into the legally executable Windows wermgr.exe file (Windows Troubleshooting), directly from memory using code from the "MemoryModule" project.
"MemoryModule is a library that can be used to fully load a DLL from memory - without first saving it to disk," she explains. σελίδα of the MemoryModule project on GitHub.
Initially start as an executable file, TrickBot will be inserted into wermgr.exe and then terminate the original TrickBot executable.
According to Kremez, during the "injection" of DLL, he will do it using Doppel Hollowing or he will edit doppelganging , to avoid detection by software security.
Unfortunately, this means that TrickBot is here to stay in the near future and consumers and businesses need to stay alert and be smart with the email attachments that open.
