The people behind banking trojan TrickBot have expanded the malware’s capability with a new backdoor meant to compromise high-value targets, according to new research from SentinelOne.
The update should cause alarm for the financial sector, since it can enable cybercriminals to infect systems undetected with malicious software, and then surreptitiously escalate their attack to pilfer off confidential banking information, or launch ransomware attacks, according to SentinelLabs, SentinelOne’s new threat intelligence division.
The new backdoor, which SentinelLabs calls “PowerTrick,” is likely launched through Windows management system PowerShell, which seems to indicate that the new fuction has been developed to reach intended victims while avoiding detection.
“‘PowerTrick’ is a flexible new tool that allows attackers to augment their access on the fly while still staying undetected, bypassing restrictions and security controls,” Vitali Kremez, who leads research at SentinelLabs, said in a blog post.
These findings are the latest addition to a growing body of research that details how scammers are using TrickBot, sometimes in coordination with other hacking tools, to make a buck, all while trying to stay ahead of corporate security teams.
Once PowerTrick has been installed on victim machines, it conducts an initial scan, waits for more commands and sends back results to hackers, according to SentinelLabs. It also uses functions from pen-testing framework Metasploit and other PowerShell tools to pivot to other systems and further obfuscate infection activities, according to SentinelLabs.
“Once the system and network have been profiled, the actors perform deletion operation and cleanup,” Kremez writes. “They remove any existing files that did not execute properly and move on to a different target of choice or perform lateral movement inside the environment to high-value systems such as financial gateways.”
It’s this transition to other systems that could be particularly damaging in the financial sector. TrickBot infections have recently begun focusing on exploiting critical assets and high value targets, such as point-of-sale systems, according to researchers.
One malware family, called Anchor, has established “targeted data extraction from secure environments” and “long-term persistency,” according to SentinelLabs.
“The TrickBot cybercrime enterprise actively develops many of its offensive tools such as ‘PowerTrick’ that are leveraged for stealthiness, persistence, and reconnaissance inside infected high-value targets such as financial institutions,” Kremez writes.
SentinelLabs did not detail any of the new backdoor’s victims or reveal how long PowerTrick has been operational.
It wasn’t immediately clear which threat actors might be taking advantage of the new backdoor, if any.
Correction: This article has been corrected to reflect the description of Metasploit.