Bitdefender experts have discovered a new module for the well-known banking Trojan TrickBot, which uses hacked systems to launch brute force attacks on RDP against Windows systems.
The module was noticed by experts at the end of January this year, it is called rdpScanDll. According to experts, the module is still quite new and is still under development.However, this did not prevent rdpScanDll from attempting to attack 6013 RDP servers, mainly owned by enterprises in the telecommunications, educational and financial sectors and located in the US and Hong Kong.
rdpScanDll attack map
After TrickBot enters the system, it creates a folder containing encrypted payloads and related configuration files, including a list of management servers that the module must contact for the module named vncDll, using the standard format format URL for communication with the management servers: https://C&C/tag/computerID/controlEndpoint.
Interest here possessd the controlEndpoint, associated with a list of attack modes (check, trybrute and brute) and a list of IP addresses and ports that need to be attacked through RDP”, — say Bitdefender researchers.
So, check mode checks the RDP connection of the target from the list, trybrute mode tries to execute bruteforce on the selected target using a predefined list of usernames and passwords extracted from /rdp/names and /rdp/dict. Once the source list of destination IP addresses from rdp/domains is exhausted, the module will receive another set of fresh IP addresses using rdp/over.
Experts write that given that the module uses a predefined list of usernames and passwords, it all looks like targeted attacks.
The simple fact that they [hackers] use a list of usernames and passwords, rather than a simple dictionary attack, means that they know something or have some experience with the passwords that IT administrators use to manage these networks. They would not go through passwords for a specific list if this list has not proved its worth in the past,” — analysts write.
The Bitdefender report also described in detail the TrickBot update delivery mechanism, thanks to which it was possible to understand that the modules for lateral movement on the network (WormDll, TabDll, ShareDll) also received a lot of updates and improvements recently. Also, over the past six months, modules for system and network intelligence (SystemInfo, NetworkDll) and data collection (ImportDll, Pwgrab, aDll) have been actively updated.
By the way, according to the report of Check Point experts, TrickBot is one of the most active malware at the beginning of this year, banker operators do not even disdain to use the theme of the coronavirus pandemic to spread this electronic infection.
