TrickBot Adds Custom, Stealthy Backdoor to its Arsenal
The PowerTrick backdoor, which fetched yet other backdoors, is designed to help TrickBot evade detection.
The Russian-speaking cybercriminals behind the TrickBot malware have developed a stealthy backdoor dubbed “PowerTrick,” in order to infiltrate high-value targets.
According to research from SentinelLabs, released on Thursday, PowerTrick is designed to execute commands and return the results in Base64 format. It’s deployed as a module after the initial TrickBot infection has already taken hold on a victim computer.
“The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure air-gapped high-value networks,” according to the analysis.
The firm’s researchers observed a smaller initial backdoor script being first deployed, sometimes in the form of a PowerShell task, which establishes contact with the command-and-control (C2) server. After that, the malware operators send the first command, which is to download the main PowerTrick backdoor.
Once installed, PowerTrick carries out the usual backdoor functions, according to the analysis: It performs an initial check-in and then sits in a loop request waiting for the next commands to be received. It executes these and sends back results or errors; and it can sleep for certain amounts of time on demand.
The TrickBot operators use their access to carry out other tasks, mainly by leveraging PowerShell utilities. For instance, SentinelLabs observed PowerTrick downloading “letmein,” a PowerShell-based script for connecting to open-source exploitation framework Metasploit, to perform reconnaissance and identify other machines to which to expand the TrickBot infestation laterally.
“Once the system and network have been profiled, the actors either stealthily clean up and move on to a different target of choice, or perform lateral movement inside the environment to high-value systems such as financial gateways,” the researchers noted.
In addition to Metasploit, the backdoor also calls other pieces of code, which function as backdoors as well. These include TrickBot’s custom Anchor Project DNS variant; and the More_eggs JScript backdoor malware (a.k.a. Terra Loader or SpicyOmelette), which is sold on the Dark Web as a malware-as-a-service (MaaS) offering. Also, the cybercriminals have been seen using direct shellcode execution via PowerTrick as an additional methodology for payload deployment.
Using the backdoor as a gateway to yet more backdoors is an effort to stay stealthy, according to SentinelLabs.
“This is something we have observed frequently where the actors will modify or create new delivery systems frequently in order to bypass restrictions and security controls,” the researchers said.
TrickBot was developed in 2016 as a banking malware to succeed the Dyre banking trojan; but since then, it has developed into an all-purpose, module-based crimeware solution targeted specifically to corporations. If past is prologue, the addition of PowerTrick to its arsenal is par for the course in terms of the malware’s ongoing and rapid development. Most recently, it has added the ability to harvest desktop application credentials and perform stealthy code injection; and, its operators have been seen collaborating with North Korea-linked APT Lazarus.
“TrickBot has shifted focus to enterprise environments over the years to incorporate many techniques from network profiling, mass data collection, incorporation of lateral traversal exploits,” according to the SentinelLab analysis. “This focus shift is also prevalent in their incorporation of malware and techniques in their tertiary deliveries that are targeting enterprise environments, it is similar to a company where the focus will shift depending on what generates the best revenue.”