A new module for infamous TrickBot malware has been discovered in the wild that lets attackers to compromise Windows systems by brute-forcing accounts via the Remote Desktop Protocol. The attacks were aimed against targets mostly in telecoms, education, and financial services in the US and Hong Kong, according to Bitdefender researchers.
The new module, dubbed “rdpScanDll”, was discovered on January 30 and is said to be still in development. During its analysis of pScanDll module, BitDefender gained visibility into several updates for the lists of targeted IPs – in all, these contained more than 6,000 IP addresses. “The modus operandi is similar to that of other plugins. The TrickBot executable will download the plugin and its configuration file (from one of the available online C&Cs) containing a list of servers with whom the plugin will communicate to retrieve commands to be executed. TrickBot will load the plugin, executing the “start” and “control” exported functions, passing the configuration file as an argument for the last mention function,” the researchers wrote.
The module shares the configuration file with another module, vncDll, but uses different URL endpoints to distinguish itself.
RdpScanDll has three attack modes - Check, Trybrute, and Brute. The Check mode will check for RDP connection on the list of targets, the Trybrute mode will perform a bruteforce operation on the list of targeted IPs, and the Brute mode appears to be still in development as it does not function properly.
“Besides the inclusion in the executable of a set of functions that aren’t called, the attack mode brute seems broken. The brute attack mode doesn’t fetch the username list, causing the plugin to use null passwords and usernames to authenticate on the targets list,” the researchers say.
The BitDefender report also details TrickBot's update delivery mechanism, pointing out that wormDll, shareDll, and tabDll are most frequently updated malicious plugins(these are used for lateral movement).
“While monitoring the updates of malicious plugins, we observed that the most frequently updated ones were those performing lateral movement: 32.07% of them were wormDll, 31.44% were shareDll and 16.35% were tabDll. The rest of the plugins had fewer than 5% occurrences,” the report reads.
“The new rdpScanDll module may be the latest in a long line of modules that have been used by the TrickBot Trojan, but it’s one that stands out because of its use of a highly specific list of IP addresses. While the module seems to be under development, as one attack mode seems broken, newer versions of rdpScanDll will likely fix this and potentially add new ones,” the researchers say.
