Trickbot Malware Returns with a new VNC Module to Spy on its Victims Follow us        Subscribe to Newsletter  Home  Newsletter  Offers Home Data Breaches Cyber Attacks Vulnerabilities Malware Offers Contact    Resources THN Store Free eBooks Freebies RSS Feeds About Site About Us Our Team Jobs Advertise With Us Contact/Tip Us  Reach out to get featured—contact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback! Follow Us On Social Media       RSS Feeds  Email Alerts  Telegram Channel Trickbot Malware Returns with a new VNC Module to Spy on its Victims July 13, 2021Ravie Lakshmanan Cybersecurity researchers have opened the lid on the continued resurgence of the insidious Trickbot malware, making it clear that the Russia-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent counter efforts from law enforcement. "The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between [command-and-control] servers and victims — making attacks difficult to spot," Bitdefender said in a technical write-up published Monday, suggesting an increase in sophistication of the group's tactics. "Trickbot shows no sign of slowing down," the researchers noted. Botnets are formed when hundreds or thousands of hacked devices are enlisted into a network run by criminal operators, which are often then used to launch denial-of-network attacks to pummel businesses and critical infrastructure with bogus traffic with the aim of knocking them offline. But with control of these devices, malicious actors can also use botnets to spread malware and spam, or to deploy file-encrypting ransomware on the infected computers. Trickbot is no different. The notorious cybercrime gang behind the operation — dubbed Wizard Spider — has a track record of exploiting the infected machines to steal sensitive information, pivot laterally across a network, and even become a loader for other malware, such as ransomware, while constantly improving their infection chains by adding modules with new functionality to increase its effectiveness. "TrickBot has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware," Lumen's Black Lotus Labs disclosed last October. "It also infects consumer appliances such as DSL routers, and its criminal operators constantly rotate their IP addresses and infected hosts to make disruption of their crime as difficult as possible." The botnet has since survived two takedown attempts by Microsoft and the U.S. Cyber Command, with the operators developing firmware meddling components that could allow the hackers to plant a backdoor in the Unified Extensible Firmware Interface (UEFI), enabling it to evade antivirus detection, software updates, or even a total wipe and reinstallation of the computer's operating system. Now according to Bitdefender, the threat actor has been found actively developing an updated version of a module called "vncDll" that it employs against select high-profile targets for monitoring and intelligence gathering. The new version has been named "tvncDll." The new module is designed to communicate with one of the nine command-and-control (C2) servers defined in its configuration file, using it to retrieve a set of attack commands, download more malware payloads, and exfiltrate gathered from the machine back to the server. Additionally, the researchers said they identified a "viewer tool," which the attackers use to interact with the victims through the C2 servers. That's not all. A separate report published by Cofense this week discovered fresh evidence of the botnet targeting companies in the retail, building materials, manufacturing, insurance, and construction industries with phishing emails containing invoice-themed Word documents to trigger a "fine-tuned workflow for stealing credentials." While efforts to squash the gang's operations may not have been entirely successful, Microsoft told The Daily Beast that it worked with internet service providers (ISPs) to go door-to-door replacing routers compromised with the Trickbot malware in Brazil and Latin America, and that it effectively pulled the plug on Trickbot infrastructure in Afghanistan. Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post. SHARE      Share Tweet Share Share  Share on Facebook Share on Twitter Share on Linkedin Share on Reddit Share on Hacker News Share on Email Share on WhatsApp Share on Facebook Messenger Share on Telegram Comments SHARE  computer security, computer virus, hacking news, Malware, Trickbot Popular This Week A Critical Random Number Generator Flaw Affects Billions of IoT Devices IT Giant Accenture Hit by LockBit Ransomware; Hackers Threaten to Leak Data Microsoft Warns of Another Unpatched Windows Print Spooler RCE Vulnerability Hackers Spotted Using Morse Code in Phishing Attacks to Evade Detection Bugs in Managed DNS Services Cloud Let Attackers Spy On DNS Traffic Microsoft Releases Windows Updates to Patch Actively Exploited Vulnerability Comments Latest Stories Other Stories Stamp out poor coding practices for good Download 'The Changing Face of Software Security 2021' to find out how. Learn how organizations cultivates world-class secure developers Read a senior application security engineer's story of working on the front lines to maintain their enviable, first-class security program. How to Mitigate PrintNightmare Vulnerability – A guide for mitigating Microsoft's Print Spooler vulnerability - PrintNightmare - for Windows Learn to Code — 13 Online Courses Learn to Code — Get 2021 Master Bundle of 13 Online Courses @ 99% OFF Online Courses and Software Ethical Hacking - Practical Training 10 courses + 1,236 lessons on latest techniques, forensics, malware analysis, network security and programming. 1000+ Premium Online Courses With course certification, Q/A webinars and lifetime access. Cybersecurity Certification Training CISA, CISM, CISSP, PMI-RMP, and COBIT 5 certifications. CompTIA IT Certification Training Lifetime access to 14 expert-led courses. Cybersecurity Newsletter — Stay Informed Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily. Email Follow Us 725,300 Followers 1,985,000 Followers 240,100 Followers 18,100 Subscribers 125,500 Followers About About Us Advertising Editorial Team Contact Pages RSS Feeds Deals Store Privacy Policy Copyright Policy Deals Exclusives Hacking Development Android  RSS Feeds  Contact Us  Telegram Channel © The Hacker News, 2019. All Rights Reserved.