Language: rus ukr eng


Sunday, 15 June
Mobile version  | RSS
News Ukraine Russia Peace Business Society Artistic and Culture Sports Policy PE Science and Health Photo Report Video

Trojan TrickBot got the mechanism of self-propagation and learned to attack browsers and Outlook

05 August 2017, 11:22 | Technologies
photo InternetUA
Text Size:

The TrickBot banking Trojan has been active for about a year and experts believe that its "progenitor" is the Trojan Dyre.

Earlier in 2017, researchers found that TrickBot expanded its list of targets, in addition to banking applications, including PayPal users and various CRM systems. Now experts write that TrickBot continues to develop.

Recently, analysts of Flashpoint and Deloitte have discovered a new version of the Trojan that is distributed through spam sent by the botnet Necurs. This sample is equipped with a special SMB-module that adds the Trojan functionality to the worm and allows it to automatically propagate to all available computers on the local network. Bunker clearly borrowed this technique from the sensational malware WannaCry and NotPetya. The module uses the NetServerEnum Windows API, as well as Lightweight Directory Access (LDAP).

Although, according to researchers, while this function is not fully implemented, they are convinced that soon the authors of the malware will bring the SMB-module into a fully operational state.

This week, a well-known IS researcher, known under the pseudonym Hasherezade, in turn, reported that the creators of the malware probably hired another developer in the team, and TrickBot continues to acquire new functions.

Hasherezade writes that at present the banker is completed with five main modules: systemInfo. Dll and loader. Dll (injectDll32), which were part of the Trojan from the very beginning, mailsearcher. Dll, added in December 2016, and also recently appeared two new modules - a module. Dll and Outlook. Dll.

Unlike other components of the Malware, Outlook. Dll is written in Delphi, not C ++, and was created to steal credentials and information from Microsoft Outlook.

Module. Dll (importDll32) was created using C ++, Qt5 and OpenSSL. The timestamp in the code states that the module appeared in May 2017. This component is designed to steal different information from browsers, including cookies, browsing history, HTML5 Local Storage, Flash LSO (Local Shared Objects), URL hints and so on.. Hasherezade notes that the module is written rather casually and practically does not hide its intentions. So, in its code the long list of the purposes is rigidly registered, among which various sites of the most different countries of the world, including Japan, France, Poland, Italy, Peru, Norway and so on.

Based on materials: bleepingcomputer.com



Add a comment
:D :lol: :-) ;-) 8) :-| :-* :oops: :sad: :cry: :o :-? :-x :eek: :zzz :P :roll: :sigh:
 Enter the correct answer 
News archive "Technologies"
Ad
TOP   | 
  
Ethnicity sophistic Ethnicity sophistic
10 June 2025, 14:11 (e-news.com.ua)
More TOP
© 2009 - 2025 NewsMe. All rights reserved.
The site administration is not responsible for information what put in, as well as its reliability. Use material NewsMe permitted only for reference (for internet issues - hyperlinks) on NewsMe.com.ua.

Наши проекты: