14 January 2020

TrickBot gang updated its arsenal with the PowerTrick backdoor for high-value targets


TrickBot gang updated its arsenal with the PowerTrick backdoor for high-value targets

The operators behind TrickBot banking malware have developed a new PowerShell backdoor designed to compromise high-value targets, such as financial institutions, a new research from SentinelOne reveals.

Initially, the TrickBot malware, which is believed to be a successor of the Dyre financial trojan, was primarily focused on banking fraud, but over the years has switched its focus to enterprise environments with its functionality becoming more diversified, including the implementation of techniques from network profiling, mass data collection, or the ability to drop additional payloads.

The new tool, which SentinelOne dubbed PowerTrick, serves as a fileless post-exploitation framework allowing its operators to perform stealthy and persistent reconnaissance and lateral movement inside of target networks.

“Their offensive tooling such as “PowerTrick” is flexible and effective which allows the TrickBot cybercrime actors to leverage them to augment on the fly and stay stealthy as opposed to using larger more open source systems such as PowerShell Empire,” the report said.

“The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks.”

In the observed attacks the backdoor was deployed as a PowerShell task through normal TrickBot infections utilizing a repurposed backconnect module that can accept commands to execute called “NewBCtest”.

PowerTrick is designed to execute commands and return the results in Base64 format, the system uses a generated UUID based on computer information as a “botID.”

Once PowerTrick has been installed on victim machines, it conducts an initial scan, waits for more commands and sends back results to its operators. The PowerTrick backdoor is used in conjunction with other frameworks and offensive tools, such as open-source exploitation framework Metasploit, for profiling and pivoting.

Once the system and network have been profiled, the hackers perform a cleanup deleting any existing files that did not execute properly. Then they perform lateral movement inside the compromised network to high-value systems, such as financial gateways.

Among the tools that PowerTrick has been observed installing are the TrickBot Anchor malware (the tool is leveraged as an attack framework for enterprise environments) and the More_Eggs JavaScript backdoor.

Back to the list

Latest Posts

Windows encryption can be (ab)used by ransomware

Windows encryption can be (ab)used by ransomware

Ironically, concept ransomware takes advantage of a function in Windows designed to protect confidential data from an unauthorized access.
22 January 2020
New JhoneRat malware targets Middle Eastern countries using multiple cloud services

New JhoneRat malware targets Middle Eastern countries using multiple cloud services

The RAT implements anti-VM and anti-analysis tricks to conceal the malicious activities.
22 January 2020
A massive list of Telnet credentials for over half a million servers and smart devices published online

A massive list of Telnet credentials for over half a million servers and smart devices published online

This marks the biggest leak of Telnet passwords up to now.
20 January 2020