New Trickbot campaign using brute force attacks to target telecoms firms uncovered by researchers

Operators are using a new module to target Remote Desktop Protocols

Hackers have updated the Trickbot malware with a new module in an effort to specifically target telecoms, education and financial services sectors in the US and Hong Kong.

That's according to the researchers from cyber security firm Bitdefender, who warn that this new Trickbot campaign has been active for at least two months and appears to be going after financial data and intellectual property.

The new module (rdpScanDll) included in the Trickbot malware is specifically built to carry out brute-forcing operations against Remote Desktop Protocols (RDPs). Bitdefender researchers discovered the module on 30^th January. Based on the IP addresses targeted by the module, Bitdefender specialists concluded that the malware is targeting telecoms firms, universities and financial companies in the US and Hong Kong.

The researchers believe that hackers behind the campaign are targeting telecoms companies for the purposes of conducting espionage.

The new module relies on command-and-control (C2) servers, which are mostly based in Russia and northern Europe. The module initially downloads a list of targets, usernames, and passwords from the C2 servers. Then, it checks if the targeted domains are running the RDP service, and finally carries out a manually ordered attack on the list of domains.

Trickbot malware activities were first recorded by the researchers in 2016. At that time, it was observed to be functioning as a banking Trojan that stole sensitive information from target organisations.

The modular nature of Trickbot means it can be easily modified to perform various types of malicious activities. This is also the main reason behind TrickBot becoming one of the most sophisticated and capable form of delivering malware attacks in the world.

Trickbot is also known as being just one part of the Emotet-Trickbot-Ryuk malware chain, which has thoroughly targeted companies worldwide.

Trickbot currently has more than a dozen different modules. They include reconnaissance software that enable attackers to steal information on systems, software packages that allow worm-like spread, and remote admin programmes to access compromised systems.

In January, the cyber security experts at SentinelLabs warned that cyber criminals behind the Trickbot have expanded the capabilities of their offensive tools with a new PowerShell-based backdoor enabling them to target high-value businesses.

The researchers said that the new Trickbot backdoor is designed for persistence, stealth, and reconnaissance on compromised machines.