Written by Shannon Vavra

The criminals behind the TrickBot banking trojan have retooled it for targeting telecommunications organizations in the U.S. and Hong Kong, according to new research from BitDefender.

The new module, a malicious .dll file “rdpScanDll” allow attackers to run brute-forcing operations against Remote Desktop Protocols (RDPs).

It’s just the latest update to TrickBot, which by design is built to be enhanced over time. The developers behind the banking trojan have not rested since it first sprouted up in 2016, and just earlier this year started using a new backdoor, according to SentinelOne research. BitDefender first saw a version of the module being developed in August of last year, Liviu Arsene, a global cybersecurity researcher at BitDefender, told CyberScoop.

The multiple configurations TrickBot can take on will likely continue to be attractive for criminals’ and nation-states’ interests as they perpetually try to retool and maintain anonymity, according to Arsene.

“That’s the beauty of everything you do with TrickBot,” Arsene told CyberScoop. “Attackers could be using existing infrastructure for malware that has already been in the wild for years, tested and proven to be reliable. Attackers are going to be using this infrastructure to perform more targeted attacks.”

While BitDefender found IP addresses on several targeting lists that also look to be from the education and financial sectors, Arsene said the telecommunications addresses — the bulk of the targets — shows the use of the new TrickBot module is believed to be for espionage purposes.

“It targets a very specific list of IP address in a very narrow vertical, telecommunications,” Arsene, said. “It’s not random.”

Constantly improving

Since the new module popped up, developers have been updating and tweaking the scheme, sometimes as much as two or three times in one week, Arsene said.

The new plug-in’s three operations — “check,” “trybrute,” and “brute” — have varying levels of success. During “check,” TrickBot checks for RDP connections on the list of targets and checks the IP list the attackers have made. During “trybrute,” the attackers try to perform a brute-force operation on the list of targeted IPs.

But the “brute” mode is less functional and may be updated yet, BitDefender found. For now, “brute” does not consult a username list to run attacks, and instead relies on just null passwords and usernames.

While the attackers’ command and control infrastructure is primarily based in Russia, according to Arsene, it’s unclear who exactly the attackers are.

The telecommunications sector is a perennial target for hackers around the world, especially, as of late, for Chinese government-linked hackers, which have gone after call records data on multiple occasions in recent months, according to FireEye and Cybereason.

“Attribution is difficult,” Arsene said. “The module itself doesn’t leave behind forensic artifacts that can point to a specific region or someone who is talking a specific language or using Chinese or Cyrilic characters.”