Whitepapers

A Fresh Look at Trickbot’s Ever-Improving VNC Module

July 15, 2021

The journey of Trickbot starts almost half a decade ago, when it appeared in the form of a banker and credential-stealing application. Drawing inspiration from Dyre (or Dyreza), Trickbot consists of an ecosystem of plugin modulesand helper components. As of late, the Trickbot group, which has managed to infect millions of computers worldwide, has played an active role in disseminating ransomware.

While most of the Dyre creators have gone dark, one person was recently charged for her role in this transnational cybercrime ring operating out of Russia, Belarus, Ukraine and Suriname. However, despite the indictment and the law enforcement takedown attempts, Trickbot shows no sign of slowing down.

Bitdefender researchers have been reporting on notable developments in Trickbot’s lifecycle, with highlights including the analysis of one of its modules in late 2020 used to bruteforce RDP connections and the analysis of its new C2 infrastructure in the wake of the crackdown of its infrastructure.

This new research focuses on an updated VNC module, which includes new functionalities for monitoring and intelligence gathering.

Key findings

  • Bitdefender researchers have discovered an updated VNC module that seems to be in active development, as its maintainers are updating it at a very fast pace;
  • This module is now delivered under a new name; our observations also helped us map the attackers’ network architecture
  • Bitdefender researchers have identified he software application that the attackers use to connect to victims’ computers. This tool, called VNCView, is described in a dedicated chapter.

A new update on the horizon

As of May 12, 2021, our monitoring systems started to pick up an updated version of the vncDll module used by Trickbot against select high-profile targets. This module is known as tvncDll and is used for monitoring and intelligence gathering. It seems to be still under development, since the group has a frequent update schedule, regularly adding new functionalities and bug fixes.

Our analysis focuses on identifying the communication protocol and the infrastructure behind it in correlation with the module’s new functionalities.

During our investigation we also stumbled on an additional tool used by the Trickbot group to facilitate the access of other threat actors to the victims’ computers.

Download whitepaper

Publisher's website.

SHARE:
Price: FREE

About the Provider

Bitdefender
Bitdefender is a Romanian cybersecurity and anti-virus software company. Bitdefender develops and sells anti-virus software, internet security software, endpoint security software, and other cybersecurity products and services.

TOPICS

Cybercrime, ransomware, TrickBot

PLEASE COMPLETE