Researchers at SentinelLabs reported that TrickBot operators used a new PowerShell backdoor in recent attacks aimed at
TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. For example, in February 2019 Trend Micro detected a variant that includes a new module used for Remote App Credential-Grabbing.
Initially, TrickBot only included banking Trojan capabilities, over the years the authors implemented new features such as the ability data-stealing functionalities and the capability to drop other payloads.
In August 2019, researchers at Secureworks Counter Threat Unit (CTU) discovered a new TrickBot version that includes new dynamic
The news backdoor, dubbed PowerTrick, was deployed as a PowerShell task through normal TrickBot infections, it is designed to execute commands and return the results in Base64 format.
Experts noticed that the system uses a generated UUID based on computer information as a “
“The TrickBot cybercrime enterprise actively develops many of its offensive tools such as “PowerTrick” that are leveraged for stealthiness, persistence, and reconnaissance inside infected
“The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks. “
The malicious code could perform several activities, including:
- Perform an initial
- Reset the throttle time or exit depending on response
- Sit in a loop request the next commands to be executed
- Execute received command
- Send back the results or the error message
- Sleep for the throttle amount
PowerTrick is used in conjunction with other frameworks and offensive tools, either paid or freely available for download, for profiling and pivoting.
Experts observed the use of other PowerShell utilities to perform malicious tasks. One of the most commonly used utilities is was ‘letmein.ps1’ which is a Powershell stager for open-source exploitation framework Metasploit.
Once the attackers have profiled the target system and network, they perform and cleanup to remove all
They remove any existing files that did not execute properly and perform lateral movements to a different target in the same network choice.
The experts have also developed mock command-and-control panels that used for the analysis of the “PowerTrick”.
The report published by the experts includes Indicators of Compromise (IoCs), along with other technical details.
(SecurityAffairs – hacking, Trickbot)
The post TrickBot gangs developed the PowerTrick backdoor for high-value targets appeared first on Security Affairs.