Researchers are warning that Trickbot malware is not showing any signs of slowing down. As per the latest reports on the notorious botnet, the cybercrime organization behind this threat is revamping its infrastructure in response to recent counter measures taken by law enforcement.
The new capabilities that have been detected in the threat have been utilized to spy on and collect information from victims by using a custom communication protocol that hides data transfers between the command-and-control servers and victims, thereby making attacks harder to detect.
In October last year, Black Lotus Labs revealed that TrickBot has developed to hack third-party servers and utilize them to host malware. It has also been discovered that the botnet has been targeting DSL routers and other customer appliances. To ensure maximum stealth, the criminal group behind the malware has been continuously rotating its IP addresses and compromised hosts, effectively avowing crime detection.
The botnet operators have found methods to introduce new firmware components that may help them escape antivirus detection, software upgrades, or even a complete wipe and reinstallation of the operating system. This increase in sophistication of the TrickBot group’s tactics has, so far, helped them to survive the takedown attempts of the U.S. Cyber Command and Microsoft.
For the moment, researchers who are keeping a close eye on the botnet reveal that the hacking group has been actively working on an upgraded version of a module named “vncDll”. The threat actors have been using it to monitor and collect intelligence on selected high-profile targets.
As per the reports, the name of the new version of the module is “tvncDll” and, from what has been discovered, it is built to interact with one of the nine C2 servers. When active, the “tvncDll” module can obtain a set of attack instructions, download additional malware payloads, and exfiltrate collected data back to the server. Researchers have also revealed that the attackers use a “viewer tool” to communicate with the victims.
A botnet, such as TrickBot, is made up of tens or hundreds of compromised devices that are brought into a network that is controlled by criminals. The hackers typically use them to execute denial-of-service (DoS) attacks with the goal of crippling companies and vital infrastructures. This opens the door for people with malicious intentions to utilize botnets to distribute malware and spam, as well as to infect machines with ransomware that encrypts the hard drive.