TrickBot group exploiting PowerShell-based backdoor to target high-value organisations

New TrickBot backdoor is designed for persistence, stealth, and reconnaissance on compromised machines

Cyber criminals behind the banking Trojan TrickBot have expanded the capabilities of their offensive tools with a new PowerShell-based backdoor enabling them to target high-value businesses.

TrickBot is a descendant of the Dyre malware and was primarily used by Russian hackers to carry out banking frauds. Over the past few years, TrickBot group has shifted focus to enterprise environments in efforts to generate maximum revenue from their activities.

According to cyber security experts at SentinelLabs, TrickBot group is currently exploiting PowerTrick - a custom, fileless backdoor that is designed for persistence, stealth, and reconnaissance inside compromised networks.

PowerTrick comes with similar capabilities to the PowerShell Empire, but it is more difficult to detect because of its custom-made code. It is most likely launched through Windows management system PowerShell.

Researchers say they have noticed TrickBot operators using PowerTrick to quietly download additional malware on machines belonging to high-value organisations.

The attackers' new offensive tools enable them to remain hidden within a compromised network for the duration of their operation as those tools are employed only for short periods to carry out targeted "post-exploitation" activities such as lateral movement.

Successful exploitation allows attackers to steal user credentials, deploy additional malware and to accomplish a variety of other activities that they wish to do within the compromised network.

"The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks," lead researcher Vitali Kremez said in a blog post.

Over the past few months, researchers have seen a decline in overall malware volumes, although targeting of higher-value entities is on the rise. The recent Travelex ransomware crisis is an example of such a targeted attack.

SentinelLabs says it has created some mock command-and-control (C2) panels to help organisations test for PowerTrick related infections. The mock C2 panels are available to download on GitHub.