June 1, 2020 By David Bisson 2 min read

Security researchers discovered that the Trickbot Trojan has replaced its “mworm” propagation method with a new “nworm” module.

In April 2020, Palo Alto Networks’ Unit 42 observed Trickbot deploy its new propagation method during an attack on a laboratory environment in which the malware produced nworm on an infected Windows 7 client. Via the use of a Server Message Block (SMB) exploit, the method helped Trickbot move to a Windows domain controller (DC).

Trickbot’s newest module replaced mworm, a propagation capability that the malware first began using in September 2019. Like mworm, its latest feature didn’t appear unless the malware infection occurred in an Active Directory (AD) environment with a DC. When it did infect a vulnerable DC via nworm, however, the malware ran from memory and left no artifacts as a means of evading detection. Additionally, Trickbot didn’t survive a reboot of the infected DC. Unit 42 noted that this property didn’t pose an issue for the malware, given the fact that DCs and servers don’t shut down as frequently as Windows clients.

A Look Back at Trickbot’s Recent Attacks

Back in January, SentinelOne observed the malware enterprise leveraging its PowerTrick backdoor as a means of preying upon high-value targets. In March, Fortinet detected a new variant of the malware being distributed by a Microsoft Word document. A month later in April, Zscaler detected that Trickbot’s handlers had made several changes to their creation, including the addition of several Italian banks to Trickbot’s list of targets.

Defend Against Trickbot’s Nworm Module

Security professionals can help defend against nworm and Trickbot’s other propagation modules by using security information and event management (SIEM) data to learn about the context of relevant software vulnerabilities. They should then share this information in order to break down organizational silos and remediate vulnerabilities on a timely basis.

More from

How to calculate your AI-powered cybersecurity’s ROI

4 min read - Imagine this scenario: A sophisticated, malicious phishing campaign targets a large financial institution. The attackers use emails generated by artificial intelligence (AI) that closely mimic the company's internal communications. The emails contain malicious links designed to steal employee credentials, which the attackers could use to gain access to company assets and data for unknown purposes.The organization's AI-powered cybersecurity solution, which continuously monitors network traffic and user behavior, detects several anomalies associated with the attack, blocks access to the suspicious domains…

Being a good CLR host – Modernizing offensive .NET tradecraft

14 min read - The modern red team is defined by its ability to compromise endpoints and take actions to complete objectives. To achieve the former, many teams implement their own custom command-and-control (C2) or use an open-source option. For the latter, there is a constant stream of post-exploitation tooling being released that takes advantage of various features in Windows, Active Directory and third-party applications. The execution mechanism for this tooling has, for the last several years, relied heavily on executing .NET assemblies in…

The current state of ransomware: Weaponizing disclosure rules and more

4 min read - As we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage.What once seemed like a disruptive but relatively straightforward crime has evolved into a multi-layered, global challenge that continues to threaten businesses and governments alike.Let’s take a look at the state of ransomware today. We’ll focus on how cyber criminals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today