Banking is one of the most sensitive areas of security. It’s directly related to money transfer and requires the best protection available. TrickBot is an infamous banking Trojan. Recently, security researchers identified that the latest edition now contains a screen locker component. Although the finding suggests that it’s still under development, it poses an immense threat to the world of security.
TrickBot itself is an old banking Trojan that infected several banks in the UK, US, and Australia. In recent days, the malware is being revitalized with improved capabilities. That’s what researchers found – a screen locker. It strongly suggests that the malware will now start locking devices for ransom if the device user doesn’t appear to be e-banking user.
The new component
The screen locker module is a part of all the programs that TrickBot setup in the infected system. At first, it was just a banking Trojan. In the past days, it has improved a lot and transformed into a tool for dropping malware into systems.
The latest version was first sighted on March 15 this year. TrickBot authors infect a victim by initializing a malware strain that specializes in downloading other modules that perform all the different actions. Before the date, TrickBot consisted of a few modules – a banking Trojan, a spam email sending module and an SMB self-replicating worm to spread throughout a network.
At the date, TrickBot started downloading a new file – tabDll32.dll (tabDll64.dll in some cases). This new file loaded additional 3 files.
- Spreader_x86.dll – Module that helps the Trojan spread throughout the connected network. It works via SMB by exploiting EternalRomance and other exploits that were patched by the MS17-010 security patch.
- SsExecutor_x86.exe – Runs alongside the first module. It also establishes boot persistence on the infected system.
- ScrenLocker_x86.dll – A module that locks the screen. However, doesn’t encrypt files in the system (ransomware). Currently inactive.
Here is the tweet from MalwareTechLab that found the new TrickBot modules.
The new module is for enterprise networks
All the new 3 files work together in the system, irrespective of the original worm component. After spreading throughout the entire network, the screen locker module is triggered to lock all the computer’s screens.
This workflow leads researchers to think that the new system is being developed for enterprise networks where hundreds of machines are connected with each other. Although there’s no file encryption module/action observed, there’s a strong chance that this Trojan will become the next ransomware of the century.
How to stay protected
According to the workflow of the improved Trojan, it uses several system exploits that are already fixed with the latest system patches. Moreover, as long as it’s discovered by security researchers, you can expect that security vendors are already at work to defend against it.
So, the first thing to do is to update your system to the latest available patches. These files are from Windows system. If you don’t want to waste your time waiting for the lengthy update process, you can update your Windows offline. You also need a good antivirus program to defend against the malware. You can check out the best antivirus software of 2018.
Above all, follow cautions with your usage habit so that no other malware along with TrickBot gets into your system.