Medium
Trickbot, a modular malware using various binaries to perform differing functions has been updated. One module, “mworm” has been updated to “nworm” in an effort to leave no artifacts on infected DCs which disappear after reboot or shutdown. Other differences include retrieval of an encrypted and encoded binary representing a TrickBot executable file. Previously, “mworm” would be retrieved unencrypted and unencoded. Additionally, “nworm” is run from system RAM and does not contain persistence. This evolutionary change allows for TrickBot to remain hidden and, thus, difficult to analyze since no remnants remain on the infected machine. As with previous iterations of TrickBot, it is a malicious Windows executable saved to disk. This EXE is often called TrickBot loader as it is used to load TrickBot modules, such as “nworm.” The URLs presented by TrickBot appeared in the form of IP addresses rather than the typical URLs. “mworm” stopped being presented in April 2020 and was replaced by “nworm.” Two other modules remain the same and perform as previously seen; “mshare” and “tab” remain persistent on the DC.