Nworm – TrickBot Updates Propogation Module


Monday, June 8th, 2020 |

First discovered in 2016, TrickBot is mainly used as an information stealer and a backdoor for other malware that attackers may wish to deploy on an infected system. The malware is designed in a modular fashion, allowing for a variety of uses depending on the goals of the attacker utilizing the software. Over the previous few days, one of TrickBot’s modules, named ‘mworm,’ was recently modified, updated, and renamed as ‘nworm.’

Some key differences of the new nworm module include:

  • Nworm retrieves an encrypted, or encoded, binary over network traffic, which is the TrickBot executable file; the nworm module sent the TrickBot executable file in the clear, without any sort of encryption or encoding.
  • When infected with TrickBot through the new nworm module, it is run from system RAM and does not appear to persist on an infected client.
  • When used in conjunction with one another, this new module allows for the TrickBot infection to significantly increase its chances of evading detection on an infected domain controller.

Nworm is one the three propagation modules of the malware, used for spreading inside a network, and is different from the other modules in that it only targets the Domain Controller, and only works in Active Directory environments; in any other environment it will lay dormant. The infected domain controller then receives the TrickBot executable file as an encrypted binary and runs the binary in system RAM. Upon system reboot or shutdown, no artifacts remain of the malware, thus providing a powerful method of evading detection.

TrickBot contains two other modules that allow for propagation, named ‘mshare’ and ‘tab.’ With these, the infected Windows client retrieves a new TrickBot EXE using an HTTP URL, the infected client will then send this new TrickBot EXE over SMB traffic to the vulnerable domain controller.

It’s important to note that if the infected client does not exist in an Active Directory environment, only the modules mshare and tab will be utilized, as the nworm client is dormant; if the client does exist within an Active Directory environment, then the nworm module will carry out the previously described functions of mshare and tab.

When a TrickBot infection is caused by either mshare or tab, then these infections remain persistent on the domain controller, but TrickBot launched by nworm is not persistent. This lack of persistence caused by nworm is typically not an issue for the malware as a domain controller is rarely shut down or rebooted like a typical Windows client.


In order to hinder or prevent TrickBot infections, it is important to follow best security practices like running fully patched and up-to-date version of Microsoft Windows. Despite being patched over three years ago, EternalBlue, the main component of the WannaCry ransomware, is an integral part of how TrickBot spreads itself and thankfully there exists a way to patch that vulnerability. Maintaining and complying with a robust patch policy can help organizations from falling victim to TrickBot and other malicious hacking campaigns that exploit known vulnerabilities that are sometimes years old.

For a more detailed analysis of the TrickBot malware and its newly updated nworm module, as well as a comprehensive list of IOCs, please reference the PDF below: TrickBot – Nworm.


Sources:

Attachments

Share this: