The operators behind TrickBot banking malware have developed a new PowerShell backdoor designed to compromise high-value targets, such as financial institutions, a new research from SentinelOne reveals.
Initially, the TrickBot malware, which is believed to be a successor of the Dyre financial trojan, was primarily focused on banking fraud, but over the years has switched its focus to enterprise environments with its functionality becoming more diversified, including the implementation of techniques from network profiling, mass data collection, or the ability to drop additional payloads.
The new tool, which SentinelOne dubbed PowerTrick, serves as a fileless post-exploitation framework allowing its operators to perform stealthy and persistent reconnaissance and lateral movement inside of target networks.
“Their offensive tooling such as “PowerTrick” is flexible and effective which allows the TrickBot cybercrime actors to leverage them to augment on the fly and stay stealthy as opposed to using larger more open source systems such as PowerShell Empire,” the report said.
“The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks.”
In the observed attacks the backdoor was deployed as a PowerShell task through normal TrickBot infections utilizing a repurposed backconnect module that can accept commands to execute called “NewBCtest”.
PowerTrick is designed to execute commands and return the results in Base64 format, the system uses a generated UUID based on computer information as a “botID.”
Once PowerTrick has been installed on victim machines, it conducts an initial scan, waits for more commands and sends back results to its operators. The PowerTrick backdoor is used in conjunction with other frameworks and offensive tools, such as open-source exploitation framework Metasploit, for profiling and pivoting.
Once the system and network have been profiled, the hackers perform a cleanup deleting any existing files that did not execute properly. Then they perform lateral movement inside the compromised network to high-value systems, such as financial gateways.