June 1, 2020 By David Bisson 2 min read


Security researchers discovered that the Trickbot Trojan has replaced its “mworm” propagation method with a new “nworm” module.

In April 2020, Palo Alto Networks’ Unit 42 observed Trickbot deploy its new propagation method during an attack on a laboratory environment in which the malware produced nworm on an infected Windows 7 client. Via the use of a Server Message Block (SMB) exploit, the method helped Trickbot move to a Windows domain controller (DC).

Trickbot’s newest module replaced mworm, a propagation capability that the malware first began using in September 2019. Like mworm, its latest feature didn’t appear unless the malware infection occurred in an Active Directory (AD) environment with a DC. When it did infect a vulnerable DC via nworm, however, the malware ran from memory and left no artifacts as a means of evading detection. Additionally, Trickbot didn’t survive a reboot of the infected DC. Unit 42 noted that this property didn’t pose an issue for the malware, given the fact that DCs and servers don’t shut down as frequently as Windows clients.

A Look Back at Trickbot’s Recent Attacks

Back in January, SentinelOne observed the malware enterprise leveraging its PowerTrick backdoor as a means of preying upon high-value targets. In March, Fortinet detected a new variant of the malware being distributed by a Microsoft Word document. A month later in April, Zscaler detected that Trickbot’s handlers had made several changes to their creation, including the addition of several Italian banks to Trickbot’s list of targets.

Defend Against Trickbot’s Nworm Module

Security professionals can help defend against nworm and Trickbot’s other propagation modules by using security information and event management (SIEM) data to learn about the context of relevant software vulnerabilities. They should then share this information in order to break down organizational silos and remediate vulnerabilities on a timely basis.

More from

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything.But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists in…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today