Trickbot malware now maps victims’ networks using Masscan

Trickbot malware now maps victims’ networks using Masscan

Image: Karlis Reimanis

The Trickbot malware has been upgraded with a network reconnaissance module designed to survey local networks after infecting a victim’s computer.

This new module, dubbed masrv, uses the open-source masscan tool, a mass port scanner with its own TCP/IP stack and capable of scanning large swaths of the Internet in a matter of minutes.

Trickbot uses the network scanner module to map the victims’ networks and send home information on any devices with open ports.

Still testing the waters

The module is deployed as a Windows DLL file, with a 32-bit or 64-bit architecture depending on the system the malware has infected.

“Both DLLs we observed are debug builds and log their execution into standard output,” as Kryptos Logic Vantage Team said in a report published on Monday.

This hints at the module being in a test phase, with Trickbot gang still testing waters to see if using a network mapping could help them boost the number of infected devices and their malware’s efficiency.

All the info on network devices with open ports is exfiltrated to the malware’s command-and-control server for the malware operators to decide if the discovered machines are worth adding to the botnet.

Module C2 requests
Module C2 requests (Kryptos Logic Vantage Team)

The TrickBot gang has previously released a standalone reconnaissance tool known as LightBot in the form of a PowerShell script used for scoping out an infected victim’s network for high-value targets.

“This new module is an indication of the actor’s continued investment in improving their network reconnaissance toolkit, even after recent disruption efforts,” the Kryptos Logic researchers added.

Microsoft and other security firms disrupted the Trickbot botnet following a coordinated operation that led to the takedown of Trickbot C2 servers in October 2020.

Even though this operation managed to disable roughly 94% of Trickbot’s critical infrastructure, the tough to kill botnet bounced back in January 2021 with a new series of phishing emails and lures.

Frequently updated malware

Trickbot is a malware strain that surfaced in October 2016 as modular banking malware. Since then, it was continuously upgraded with new modules and…