TrickBot proved that the hallowed Windows Defender Advanced Threat Protection defense system isn't quite foolproof last year, as the malware variant was able to disable Windows Defender by deploying some of its own tricks, such as the deletion of the WinDefend service.
The earlier havoc wreaked on Windows users by the disabling of Windows Defender, includes infecting nearly 250 million Google accounts, but this time it has resurfaced with the new capability of stealing Windows Active Directory credentials. This latest trait of the infamous Trojan makes it even more lethal as far as security is concerned.
TrickBot has a new module dubbed “ADll” which executes a set of commands to steal Windows Active Directory information, with the new module haven been discovered by Sandor Nemes, a security researcher from Virus Total.
How the Trojan Steals Windows Active Directory Credentials?
As Windows administrators use the command named ifm (install from media) to create a dump of Active Directory, this command also creates an installation media used for setting up Domain Controllers.
The Trojan's new ADll module is able to abuse the ifm command to create copy of the Windows Active Directory database, with the database dumped into the %Temp% folder, which the bot then forwards to the malware creator. And the data can be used to infect other computers in a network and also used by other malware that are looking out for such vulnerabilities.
The State of Windows Active Directory Credentials
The Active Directory database is created when the server acts as a domain controller and it's saved to the default C:\Windows\NTDS folder on the domain controller, with information like passwords, users, and groups of Windows Active Directory stored in a file called ntds.dit within this database.
But since this information is highly sensitive, Windows encrypts it using BootKey which it then stores in the System component of the Registry.
Normal file operations can't access the BootKey, administrators make use of a special tool called ntdsutil when performing database maintenance to access the ntds.dit database.
It is recommended that Windows 10 users should ensure that the “Tamper Protection” feature is enabled, even though the feature remains ‘On’ by default, as the malware is capable of disabling it and if it is enabled, Windows 10 users shouldn't be so much worried about the Trojan.