TrickBot comes together with modules. Each of them is responsible for the conduct of specific malicious activities. For example, some modules are responsible for propagation, others for encryption of stolen information or for stealing credentials.  In this article, we will describe the operation of one particular module, Nworm. We also provide recommendations on how to prevent an infection with a Nworm-loaded TrickBot. 

The operation of Nworm

Nworm evolved from and replaced Mworm, a module transferring an unencrypted version of the TrickBot executable to a vulnerable domain name controller. Since the executable was not encrypted, anti-malware software applications were able to easily detect and remove Mworm once it is copied to the targeted computer. The creators of TrickBot decided to “improve” Mworm in such a way as to make it harder to be detected. The new version of Mworm became known as Nworm. Nworm transfers an encrypted version of the TrickBot executable. Furthermore, the malware is executed and operated from the memory; thus, Nworm does not leave traces that can be used for its detection. However, TrickBot cannot survive a restart of the infected system, as such a restart usually deletes most of the information stored in the computer memory. The HTTP traffic for follow-up TrickBot EXEs is different from the traffic caused by Mworm. More specifically, the Mworm-related URL for TrickBot EXE ends with /images/redcar.png, while the Nworm-related URL for TrickBot EXE ends with /ico/VidT6cErs. In regards to Mworm, the follow-up TrickBot EXE is sent back unencrypted in the HTTP traffic. This is not the case with Nworm, where the followup TrickBot EXE returns as an encrypted or otherwise encoded binary in the HTTP traffic. The “symptoms” of an infection with a Nworm-loaded TrickBot may include slowing down the operation of the web browser, the appearance of certain unknown tasks in the computer task manager and connecting to remote hosts without the content of the relevant device.

Prevention of the infection with a Nworm-loaded TrickBot

The prevention of a Nworm-loaded TrickBot needs to include at least three components: namely, updating the Microsoft Windows operating system, installing up-to-date anti-malware and using threat prevention platforms. These three components will be examined in more detail below.

Updating Microsoft Windows

The Microsoft developers constantly identify security issues related to Microsoft Windows and develop fixes for such security issues. The fixes are available to Windows users through the “Windows update” functionality.  Microsoft quickly identified TrickBot and related modules and included it in the malware list of the Microsoft Defender Antivirus (MDA). To ensure that MDA will detect a Nworm-loaded TrickBot, it is better to open “Virus & threat protection settings” and start the following functionalities: cloud-delivered protection and automatic sample submission.

Installing up-to-date anti-malware

Although the MDA provides good protection against malicious software, the installation of additional anti-malware programs may increase the chance of detecting a Nworm-loaded TrickBot. For example, the Palo Alto Threat Prevention platform has the capacity to scan “all traffic – applications, users, and content – across all ports and protocols” and detect the presence of Nworm. It conducts the automatic anti-malware checks and automatically blocks known malware.

Using threat prevention platforms

Threat prevention platforms collect information security-related intelligence from all over the world and provide their users with the opportunity to take measures against new threats before being impacted by those threats.  Taking into account the transformation of Mworm in Nworm, we can expect a new module called “Oworm.” Users of threat prevention platforms will be able to learn about the existence of Oworm before being affected by it, thus increasing their chance to take preventive information security measures. In the field of cybersecurity, prevention is usually better than remediation. The threat prevention platform AutoFocus developed by information security researchers at Palo Alto Networks allows its users to track TrickBot activities by using a “TrickBot tag.” Thus, it is a powerful tool for prevention of TrickBot infections.

Conclusion

The modular nature of TrickBot allows it to rapidly evolve towards a stealthier version. While Mworm was spreading its malicious payload in an unencrypted form on the hard drive of the infected computer, Nworm delivers an encrypted version of TrickBot executable in the memory of the infected computer. Therefore, taking into account the “invisibility” of this type of malware, special preventive measures need to be taken with regard to it. In this article, we proposed three such measures which, if applied correctly, will greatly reduce the likelihood of infection. If no measures are taken and an infection with TrickBot occurs, this may have a tremendous impact on the affected bank. In an article entitled “Smart Wallets on Blockchain – Attacks and Their Costs,” three information security researchers estimated that the damage can range from $100 million to $10 billion.  

Sources

Nworm: TrickBot gang’s new stealthy malware spreading module, BleepingComputer Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module, Unit 42 Trojan.TrickBot, Malwarebytes Labs Win32/Trickbot, Microsoft Tomorrow’s operations depend on unrivaled threat intelligence, today, PaloAlto Networks Pillai, A., Saraswat, V., Arunkumar, V.R., “Smart Wallets on Blockchain – Attacks and Their Costs,” Smart City and Informatization: 7th International Conference, November 2019