The infamous TrickBot cyberattack group has developed a new backdoor to monitor valuable victim systems post-exploit.
Dubbed PowerTrick, the post-exploitation tool’s end goal is to “bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks,” SentinelLabs researchers Vitali Kremez, Joshua Platt, and Jason Reaves said on Thursday.
TrickBot cybercriminals specialize in the theft of banking credentials worldwide, often from enterprise companies. Trojans linked to the group are in constant states of evolution, with new modules and tools in development to stay one step ahead of IT teams and to conduct both data exfiltration and persistence.
In the latter half of last year, researchers warned that alongside powerful Trojans, backdoors, and web injection techniques, the developers have expanded their arsenal with tools designed for SIM-swapping attacks. TrickBot malware has also been linked to cryptocurrency-based theft.
The new tool is likely launched through Windows PowerShell, the researchers say. A repurposed TrickBot module called “NewBCtest” has been tweaked to accept commands for execution, including the establishment of a larger backdoor further down the attack chain.
SentinelLabs says the method employed is similar to the open source PowerShell Empire, but in order to stay covert, TrickBot has chosen to design PowerTrick to “be flexible” and to allow augmentation “on the fly.”
Scans are performed to profile the infected system and information is returned together with a unique user ID, sent via the backdoor to a command-and-control (C2) server controlled by the attackers.
PowerTrick will also utilize the exploitation framework Metasploit and various PowerShell utilities to pivot to networked drives and systems, deploy additional malware, and perform clean-up tasks and detonation.
“They remove any existing files that did not execute properly and move on to a different target of choice or perform lateral movement inside the environment to high-value systems such as financial gateways,” the team says.
It is this lateral movement that should concern enterprise companies. As we’ve seen with the recent Travelex incident, malware able to spread and encrypt — or steal — data across a networked environment can prove to be disastrous.
TrickBot has also recently been connected to “Anchor,” a toolset that appears to provide a link between the operators and North Korean hacking groups.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0