The Trickbot malware has now added Zeus flavor to their modules. It has lately been noticed being plugged to the New Virtual Network Computing (VNC) module recently, helping an actor to watch and collect high-profile targets.
Trickbot’s recent upgrade
Trickbot maintainers have just updated their VNC module (vncDll) enabling the remote control of infected PCs. In addition, the C2 servers deployed by the assailants worldwide have increased.
- Security researchers have stated that this new Trickbot released as tvncDll has been employed by threat actors to jeopardize high-profile targets.
- The tvncDll module, which is currently in development, can scan victims’ systems and extract sensitive information.
- The attackers utilized VNCView, a software application, to connect with the victim’s computers.
- It employs an individual communication protocol and reaches the C2 server using one of the nine proxy IP addresses to target victims that are shielded by the firewalls.
Work Under Progress
Several new results show that the new modules have been developed.
- A frequently updated schedule has been established behind tvncDll and new functions and bug fixes are being added regularly.
- Moreover, the Native-browser VNC component also features an under-developing function that performs on Google Chrome, Internet Explorer, Mozilla Firefox, and Opera, which aims to steal passwords. Currently, the feature is only active for Internet Explorer.
Rise of the Trickbot
- The number of C2 servers rose, according to security analysts, from approximately 40 in January to over 140 in June. The majority of C2 servers are based (54) in North America.
- Trickbot hit 7% of enterprises around the world, with XMRig cryptocurrency mining and the Formbook info stealer affecting 3% of organizations, according to other researchers.
To read more, please check eScan Blog
