Show vulnerabilities with patch / with exploit
14 January 2020

TrickBot gang updated its arsenal with the PowerTrick backdoor for high-value targets


TrickBot gang updated its arsenal with the PowerTrick backdoor for high-value targets

The operators behind TrickBot banking malware have developed a new PowerShell backdoor designed to compromise high-value targets, such as financial institutions, a new research from SentinelOne reveals.

Initially, the TrickBot malware, which is believed to be a successor of the Dyre financial trojan, was primarily focused on banking fraud, but over the years has switched its focus to enterprise environments with its functionality becoming more diversified, including the implementation of techniques from network profiling, mass data collection, or the ability to drop additional payloads.

The new tool, which SentinelOne dubbed PowerTrick, serves as a fileless post-exploitation framework allowing its operators to perform stealthy and persistent reconnaissance and lateral movement inside of target networks.

“Their offensive tooling such as “PowerTrick” is flexible and effective which allows the TrickBot cybercrime actors to leverage them to augment on the fly and stay stealthy as opposed to using larger more open source systems such as PowerShell Empire,” the report said.

“The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks.”

In the observed attacks the backdoor was deployed as a PowerShell task through normal TrickBot infections utilizing a repurposed backconnect module that can accept commands to execute called “NewBCtest”.

PowerTrick is designed to execute commands and return the results in Base64 format, the system uses a generated UUID based on computer information as a “botID.”

Once PowerTrick has been installed on victim machines, it conducts an initial scan, waits for more commands and sends back results to its operators. The PowerTrick backdoor is used in conjunction with other frameworks and offensive tools, such as open-source exploitation framework Metasploit, for profiling and pivoting.

Once the system and network have been profiled, the hackers perform a cleanup deleting any existing files that did not execute properly. Then they perform lateral movement inside the compromised network to high-value systems, such as financial gateways.

Among the tools that PowerTrick has been observed installing are the TrickBot Anchor malware (the tool is leveraged as an attack framework for enterprise environments) and the More_Eggs JavaScript backdoor.

Back to the list

Latest Posts

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

The ComRAT v4 malware includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
26 May 2020
25 million Mathway user records leak online

25 million Mathway user records leak online

Since the start of this month, ShinyHunters has been offering access to databases containing millions user records obtained from hacks of various companies.
26 May 2020
Hackers put up for sale SQL databases stolen from online shops

Hackers put up for sale SQL databases stolen from online shops

More than half of hacked databases are from online shops in Germany, others are from Brazil, the U.S., Italy, India, Spain, and Belarus.
26 May 2020
Featured vulnerabilities
Stored cross-site scripting in Composr CMS
Low Not Patched | 26 May, 2020
Denial of service in GoldWave
Medium Not Patched | 26 May, 2020
OS Command Injection in Online Discussion Forum Site
Medium Not Patched | 26 May, 2020