The infamous banking Trojan, TrickBot that infected nearly 250 million Google accounts in 2019, is back again with newly discovered module (rdpScanDll) built for RDP bruteforce operations.
While the Trojan has been around since 2016, haven initially targeted e-banking as a credential-harvesting threat, and with its plugin-based design evolved into a more focused threat for stealing of financial data. Now, researchers from Bitdefender have discovered a new module based on the IP addresses it targets, with victims mostly US and Hong Kong-based, and predominantly in the telecom industry.
The module, dubbed "rdpScanDll" was first discovered on January 30 and is still in development, according to Bitdefender. And so far, it has targeted 6,013 RDP servers belonging to businesses within telecom, and financial sectors in both the US and Hong Kong.
How TrickBot RDP Brute-Force Attack is carried out?
TrickBot creates a folder with the encrypted malicious payloads and associated configuration files, including a list of command-and-control (C&C) servers with which the plugin needs to communicate to retrieve commands to be executed.
The rdpScanDll plugin then shares its configuration file with a module named "vncDll" which makes use of a standard URL format ( https://C&C/tag/computerID/controlEndpoint) to communicate with the new C&C servers.
Then the "check" mode looks for an RDP connection from the list of targets, with the "trybrute" mode making attempts of a brute force operation on the target using a predetermined list of login details obtained from endpoints "/rdp/names" and "/rdp/dict" respectively.
If the initial list of targeted IPs is exhausted, the plugin will try to retrieve another set of fresh IPs using a second "/rdp/over" endpoint.
TrickBot's Update Delivery Mechanism
TrickBot has been mostly distributed via spam campaigns, but it has also been seen in cahoots with other malware. Such as those distributed by the Emotet spam-sending botnet to deliver Ryuk ransomware, whereby the operators have extended its capabilities to a more advanced malware delivery vehicle.
The update delivery mechanism, according to Bitdefender findings is that plugins responsible for lateral movement across the network (WormDll, TabDll, ShareDll) got the most updates, and followed by modules responsible for carrying out 'system and network' reconnaissance (SystemInfo, NetworkDll), and data harvesting (ImportDll, Pwgrab, aDll) within the course of last six months.
The latest rdpScanDll module is perhaps only one in a long line of modules used by the Trojan, but it stands out because of its use of highly specific list of IP addresses, concluded the researchers.