Monday, March 1, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

TrickBot Now Exploits Infected PCs to Launch RDP Brute Force Attacks

March 19, 2020
in Internet Privacy
TrickBot Now Exploits Infected PCs to Launch RDP Brute Force Attacks
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

A new module for TrickBot banking Trojan has recently been discovered in the wild that lets attackers leverage compromised systems to launch brute-force attacks against selected Windows systems running a Remote Desktop Protocol (RDP) connection exposed to the Internet.

The module, dubbed “rdpScanDll,” was discovered on January 30 and is said to be still in development, said cybersecurity firm Bitdefender in a report shared with The Hacker news.

You might also like

Cisco Releases Security Patches for Critical Flaws Affecting its Products

Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

According to the researchers, the rdpScanDll brute-forcing module has so far attempted to target 6,013 RDP servers belonging to enterprises in telecom, education, and financial sectors in the U.S. and Hong Kong.

The malware authors behind TrickBot specialize in releasing new modules and versions of the Trojan in an attempt to expand and refine its capabilities.

“The flexibility allowed by this modular architecture has turned TrickBot into a very complex and sophisticated malware capable of a wide range of malicious activities, as long as there is a plugin for it,” the researchers said.

“From add-ons for stealing OpenSSH and OpenVPN sensitive data, to modules that perform SIM-swapping attacks to take control of a user’s telephone number, and even disabling Windows built-in security mechanisms before downloading its main modules, TrickBot is a jack-of-all-trades.”

How Does TrickBot RDP Brute-Force Module Work?

When TrickBot begins its execution, it creates a folder containing the encrypted malicious payloads and their associated configuration files, which includes a list of command-and-control (C2) servers with whom the plugin needs to communicate to retrieve the commands to be executed.

According to Bitdefender, the rdpScanDll plugin shares its configuration file with another module named “vncDll,” while making use of a standard URL format to communicate with the new C2 servers — https://C&C/tag/computerID/controlEndpoint

Here, “C&C” refers to the C2 server, “tag,” the group tag used by the TrickBot sample, “computerID,” the computer ID used by the malware, and “controlEndpoint,” a list of attack modes (check, trybrute and brute) and the list of IP address-port number combinations to be targeted via an RDP brute-force attack.

cyberattack malware

While the “check” mode checks for an RDP connection from the list of targets, the “trybrute” mode attempts a brute force operation on the selected target using a predetermined list of usernames and passwords obtained from endpoints “/rdp/names” and “/rdp/dict” respectively.

The “brute” mode, per the researchers, appears to be still in development. Not only it includes a set of executable functions that aren’t invoked, the mode “doesn’t fetch the username list, causing the plugin to use null passwords and usernames to authenticate on the targets list.”

Once the initial list of targeted IPs gathered via “/rdp/domains” is exhausted, the plugin, then, retrieves another set of fresh IPs using a second “/rdp/over” endpoint.

cyberattack map

The two lists, each comprising 49 and 5,964 IP addresses, included targets located in the US and Hong Kong spanning telecom, education, financial, and scientific research verticals.

Lateral Movement Plugins on Top

In addition, the Bitdefender report detailed TrickBot’s update delivery mechanism, finding that plugins responsible for lateral movement across the network (WormDll, TabDll, ShareDll) received the most updates, followed by modules that helped carry out the ‘system and network’ reconnaissance (SystemInfo, NetworkDll), and data harvesting (ImportDll, Pwgrab, aDll) over the course of last six months.

“While monitoring the updates of malicious plugins, we observed that the most frequently updated ones were those performing lateral movement: 32.07% of them were wormDll, 31.44% were shareDll, and 16.35% were tabDll,” the researchers observed. “The rest of the plugins had fewer than 5% occurrences.”

What’s more, the researchers were able to identify at least 3,460 IP addresses that acted as C2 servers across the world, including 556 servers that were solely dedicated to downloading new plugins and 22 IPs that served both roles.

A History of Evolving Capabilities

Disseminated via email phishing campaigns, TrickBot began its life as a banking Trojan in 2016, facilitating financial theft. But it has since evolved to deliver other kinds of malware, including the notorious Ryuk ransomware, act as an info stealer, loot Bitcoin wallets, and harvest emails and credentials.

The malspam campaigns that deliver TrickBot use third party branding familiar to the recipient, such as invoices from accounting and financial firms.

The emails typically include an attachment, such as a Microsoft Word or Excel document, which, when opened, will prompt the user to enable macros — thereby executing a VBScript to run a PowerShell script to download the malware.

TrickBot is also dropped as a secondary payload by other malware, most notably by the Emotet botnet-driven spam campaign. To gain persistence and evade detection, the malware has been found to create a scheduled task and a service, and even disable and delete Windows Defender antivirus software.

This led Microsoft to roll out a Tamper Protection feature to safeguard against malicious and unauthorized changes to security features last year.

“The new rdpScanDll module may be the latest in a long line of modules that have been used by the TrickBot Trojan, but it’s one that stands out because of its use of a highly specific list of IP addresses,” the researchers concluded.

“Using an existing infrastructure of TrickBot victims, the new module suggests attackers may also be focusing on verticals other than financial, such as telecommunications services and education & research.”


Credit: The Hacker News By: noreply@blogger.com (Ravie Lakshmanan)

Previous Post

NVIDIA Data Science Workstation – Transforming AI and Big Data Analytics

Next Post

A spike in home workers raises MFA resilience questions

Related Posts

Cisco Releases Security Patches for Critical Flaws Affecting its Products
Internet Privacy

Cisco Releases Security Patches for Critical Flaws Affecting its Products

February 27, 2021
Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process
Internet Privacy

Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

February 26, 2021
North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware
Internet Privacy

North Korean Hackers Targeting Defense Firms with ThreatNeedle Malware

February 26, 2021
Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack
Internet Privacy

Russian Hackers Targeted Ukraine Authorities With Supply-Chain Malware Attack

February 26, 2021
Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations
Internet Privacy

Chinese Hackers Using Firefox Extension to Spy On Tibetan Organizations

February 25, 2021
Next Post
A spike in home workers raises MFA resilience questions

A spike in home workers raises MFA resilience questions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

9 Tips to Effectively Manage and Analyze Big Data in eLearning
Data Science

9 Tips to Effectively Manage and Analyze Big Data in eLearning

March 1, 2021
Machine Learning & Big Data Analytics Education Market 2021 Global Industry Size, Reviews, Segments, Revenue, and Forecast to 2027 – NeighborWebSJ
Machine Learning

Machine Learning & Big Data Analytics Education Market 2021 Global Industry Size, Reviews, Segments, Revenue, and Forecast to 2027 – NeighborWebSJ

March 1, 2021
The Future of AI in Insurance
Data Science

The Future of AI in Insurance

March 1, 2021
Machine Learning as a Service (MLaaS) Market Analysis Technological Innovation by Leading Industry Experts and Forecast to 2028 – The Daily Chronicle
Machine Learning

Machine Learning as a Service (MLaaS) Market Global Sales, Revenue, Price and Gross Margin Forecast To 2028 – The Bisouv Network

March 1, 2021
AI And Automation In HR: The Changing Scenario Of The Business
Data Science

AI And Automation In HR: The Changing Scenario Of The Business

February 28, 2021
Machine learning could aid mental health diagnoses: Study
Machine Learning

Machine learning could aid mental health diagnoses: Study

February 28, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • 9 Tips to Effectively Manage and Analyze Big Data in eLearning March 1, 2021
  • Machine Learning & Big Data Analytics Education Market 2021 Global Industry Size, Reviews, Segments, Revenue, and Forecast to 2027 – NeighborWebSJ March 1, 2021
  • The Future of AI in Insurance March 1, 2021
  • Machine Learning as a Service (MLaaS) Market Global Sales, Revenue, Price and Gross Margin Forecast To 2028 – The Bisouv Network March 1, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates