Nworm: New TrickBot Module
I. Targeted Industries
- Higher Education
- Financial Services
Originally discovered in 2016 as a banking trojan, Trickbot is an information stealer that provides backdoor access to distribute other malware. However, Trickbot recently evolved to perform new malicious behavior in a module called “Nworm”. Researchers at Palo Alto Unit 42 recently discovered the latest updates to Trickbot, which shows a stronger method for evading detection. The infections caused by Nworm leave no artifacts on an infected Domain Controller (DC), and they disappear after a reboot or shutdown. Trickbot has also partnered with ransomware engineers such as Ryuk to gain access to compromised networks.
III. Background Information
Trickbot’s Nworm evolved from and replaced Mworm, the malware’s propagation technique first seen in September 2019. Its rapid evolution is possible due to the malware’s modular nature, which enables its authors to easily add or remove capabilities. Researchers at Palo Alto Unit 42 found that this new module, Nworm, uses novel techniques to evade detection as it infects Windows domain controllers.
Trickbot works by accessing the environment it is running in first. Then it downloads modules, such as ‘Mworm’ and ‘Mshare’, to perform malicious tasks on the infected computer and in the network. For instance, if Trickbot detected that it was in the Windows Active Directory (AD) environment, Mworm and Mshare modules would be released to propagate the Trickbot infection to a vulnerable domain controller. The modules would then be able to send an unencrypted Trickbot executable by exploiting Server Message Block (SMB) vulnerabilities in the domain controller. Additionally, since the malware executables were sent unencrypted, security software installed on the domain controllers would detect it and remove it when copied.
The new module, Nworm, was discovered by researchers in April 2020, meaning Trickbot stopped using the Mworm module. This new module encrypts the Trickbot executable and launches the infection on the domain controller in memory. This allows it to avoid leaving behind artifacts, making it difficult to detect. The malware, however, does not survive a reboot of the domain controller. Fortunately for threat actors, domain controllers are rarely rebooted allowing Nworm to remain on the system undetected.  This ultimately allows attackers to complete their tasks and goals.
- Patch Updates
Update versions of Microsoft Windows consistently and patch vulnerabilities.
- Utilize Security Information and Event Management Data
Using this data security professionals can help protect against Nworm and other Trickbot propagation techniques.
- Malware Monitoring
Continue to monitor and stay informed as new information and advancements occur with the malware.
- Incorporate Known IOCs into IDS
Incorporate the known IOC of the malware into your intrusion detection system to catch any suspicious behavior related to the malware.
- User Awareness Training
Avoid suspicious emails, links, websites, attachments, etc. Users should be educated about new types of attacks and schemes to mitigate risk.
- Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Abrams, Lawrence. “Nworm: TrickBot Gang’s New Stealthy Malware Spreading Module.” BleepingComputer. BleepingComputer.com, May 29, 2020. https://www.bleepingcomputer.com/news/security/nworm-trickbot-gang-s-new-stealthy-malware-spreading-module/.
(2) Bisson, David. “Trickbot Replaces ‘Mworm’ Propagation Method With New ‘Nworm’ Module.” Security Intelligence, June 1, 2020. https://securityintelligence.com/news/trickbot-replaces-mworm-propagation-method-with-new-nworm-module/.
(3) Duncan, Brad. “Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module.” Unit42, June 1, 2020. https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/.
(4) Palmer, Danny. “This New Trickbot Malware Update Makes It Even Harder to Detect.” ZDNet. ZDNet, May 29, 2020. https://www.zdnet.com/article/this-new-trickbot-malware-update-makes-it-even-harder-to-detect/.