WebRoot: TrickBot ship a new module, “screenlocker”

According to the analysis report published by Web security company WebRoot on Wednesday, the latest version of the TrickBot Trojan now includes a “screenlocker” component, which indicates that even if the infected target is not an online banking user, TrickBot The operator will not miss any chance of making a profit, and ransom will be another profitable measure by locking down the victim’s computer screen.

The good news is that TrickBot’s lock screen function is not yet fully functional and seems to be still in development. However, this new component has indeed been found to be installed on the victim’s computer, indicating that the attacker has at least been able to implant it on the infected computer.

WebRoot said that since the beginning of 2016, the TrickBot Bank Trojan has been constantly updating and changing, trying to stay ahead of the defenders forever. TrickBot initially appeared to the public as a bank Trojan, but in recent years it has evolved into a malware downloader.

Researchers at WebRoot found on Thursday that the latest version of TrickBot downloaded a module called “tabDll32.dll (or tabDll64.dll)” and that module downloads three files that contain the lock screen. The “ScreenLocker_x86.dll” file for the component. details as follows:

• Spreader_x86.dll – Through the combined use of the “Eternal romance” vulnerability in the NSA hacker’s arsenal and other attacks that may be patched by the MS17-010 security patch, attempts to propagate to other computers via the SMB protocol in the same network;
• SsExecutor_x86.exe – traverses the configuration file in the registry and goes to each configuration file to add the copied binary file link to the boot path to establish a persistence mechanism on the infected computer;
• ScreenLocker_x86.dll – The screen used to lock the infected computer is not currently available.

It is worth noting that these three files seem to be designed to work one after the other, that is, this lock screen component of TrickBot will only spread in Spreader_x86.dll trying to spread in the same network through the SMB protocol and establish a persistence mechanism for SsExecutor_x86.exe. Will be executed afterward.

Jason Davison, a senior threat research analyst at Webroot, said that this mode of operation means that the latest version of the TrickBot Bank Trojan will be used primarily for corporate networks that have not been patched.

Davison explained: “In a corporate network, users can’t often visit a bank’s website. Compared to locking potentially hundreds of computers, it seems that stealing a bank’s login credentials may not be a successful profit model.”