Shulou(Shulou.com)05/31 Report--

This article mainly shows you "what is Trickbot", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn this article "what is Trickbot?"

Preface

Trickbot, a bank Trojan horse, involves a variety of network attacks, but it is mainly aimed at the network systems of banking institutions. But now an updated version of TrickBot will be able to attack self-service withdrawals and POS devices and steal savings and credit card payment data from target users.

Overview

Recently, the malicious activity of TrickBot has become more and more frequent, and it can also attack browsers such as Microsoft Outlook, Chrome, Firefox, IE and Edge or App, and steal users' passwords and other sensitive data.

In addition, the developers of the malware continue to add new features to TrickBot, such as introducing more powerful code injection techniques to bypass security checks, introducing back-analysis techniques, and banning target computers from running security tools.

The TrickBot samples identified so far already support POS service attacks. This newly added POS infection module is called psfin32 and its function is very similar to the network domain name collection module used in previous attacks.

In the process of analysis, the researchers found that the module code contains terms related to POS, and the code uses LDAP query requests to access the active Directory Service (ADS) and identify POS services in the target network.

LDAP query & TrickBot infection process

TrickBot mainly uses LDAP queries to search Global Catalog for devices that contain the following substrings (related to POS services):

* POS**LANE* * BOH* * TERM**REG* * STORE* * ALOHA* * CASH* * RETAIL* * MICROS*

It uses different LDAP queries to search for these substrings, and if the query request cannot get the expected response information, that is, the query result, then it will query other accounts or objects.

When Trickbot obtains the required information from the target device, it will store the data in the preconfiguration file and send the collected data back to the remote C2 server through the POST link.

If the C2 server cannot be accessed, it will return "Dpost servers unavailable", otherwise it will send "Report successfully sent".

Therefore, the researchers remind enterprises and users not to open any suspicious emails and attached documents in order to prevent the threat of such attacks.

The above is all the content of this article "what is Trickbot?" thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.