Security researchers discovered that the Trickbot Trojan has replaced its “mworm” propagation method with a new “nworm” module.

In April 2020, Palo Alto Networks’ Unit 42 observed Trickbot deploy its new propagation method during an attack on a laboratory environment in which the malware produced nworm on an infected Windows 7 client. Via the use of a Server Message Block (SMB) exploit, the method helped Trickbot move to a Windows domain controller (DC).

Trickbot’s newest module replaced mworm, a propagation capability that the malware first began using in September 2019. Like mworm, its latest feature didn’t appear unless the malware infection occurred in an Active Directory (AD) environment with a DC. When it did infect a vulnerable DC via nworm, however, the malware ran from memory and left no artifacts as a means of evading detection. Additionally, Trickbot didn’t survive a reboot of the infected DC. Unit 42 noted that this property didn’t pose an issue for the malware, given the fact that DCs and servers don’t shut down as frequently as Windows clients.

A Look Back at Trickbot’s Recent Attacks

Back in January, SentinelOne observed the malware enterprise leveraging its PowerTrick backdoor as a means of preying upon high-value targets. In March, Fortinet detected a new variant of the malware being distributed by a Microsoft Word document. A month later in April, Zscaler detected that Trickbot’s handlers had made several changes to their creation, including the addition of several Italian banks to Trickbot’s list of targets.

Defend Against Trickbot’s Nworm Module

Security professionals can help defend against nworm and Trickbot’s other propagation modules by using security information and event management (SIEM) data to learn about the context of relevant software vulnerabilities. They should then share this information in order to break down organizational silos and remediate vulnerabilities on a timely basis.