TrickBot Now Steals Windows Active Directory Credentials

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,154
Content source
https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/
A new module for the TrickBot trojan has been discovered that targets the Active Directory database stored on compromised Windows domain controllers.

TrickBot is typically download and installed on a computer through other malware. This most common malware that installs TrickBot is Emotet, which is distributed through spam with malicious Word document attachments.

Once TrickBot is installed, it will harvest various information from a compromised computer and will then attempt to spread laterally throughout a network to gather more data.

To perform this behavior, TrickBot will download various modules that perform specific behavior such as stealing cookies, browser information, OpenSSH keys, and spreading to other computers.

As part of the malware's continued evolution, a new TrickBot module called 'ADll' was discovered by security researcher Sandor Nemes that executes a variety of Windows commands that allows the trojan to steal a Windows Active Directory database.
Click to expand...
 
  • Like
  • +Reputation
  • Applause
Reactions: Der.Reisende, Gandalf_The_Grey, Andy Ful and 8 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Finally, we execute the DSInternals command "Get-ADDBAccount -All -DBPath 'C:\Users\sanje\Desktop\NTDS\ntds.dit' -Bootkey [key]" to decrypt the database and view all of the accounts, including their NTML password hashes
Click to expand...
Are you old enough to remember parachute pants, VCRs, and boom boxes? How about the Mosaic browser, Banyan VINES, and Token Ring networking? Do you still use any of these things? Probably not. But chances are your organization uses a protocol that is equally old.

You wouldn’t wear leather armor on a modern battlefield. And you shouldn’t expect 25-year-old technology to stand up to a six-month-old attack technique.
Click to expand...
As easy as NTLM is to crack, that’s not its biggest weakness. Its biggest weakness is its vulnerability to credential theft attacks such as Pass the Hash (PtH). While there are many similar attacks, the underlying strategy is generally the same: steal a “secret” (such as an NTLM hash) from an end-point where it has been cached in memory (recall the third step of challenge-response), and use it to access resources to which one would otherwise not be granted access. (To be clear, PtH is not a Windows-specific attack.)
Click to expand...
docs.microsoft.com

Finally Remove NTLMv1 with Project VAST

docs.microsoft.com
 
  • Like
  • Thanks
Reactions: Der.Reisende, Gandalf_The_Grey, Andy Ful and 4 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
TrickBot malware operation shuts down, devs move to stealthier malware
Replies
0
Views
791
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
upnorth
    • Like
    • +Reputation
    • Thanks
Good News, URSNIF no longer a Banking Trojan. Bad News, it's now a Backdoor
Replies
0
Views
469
News Archive
upnorth
upnorth
silversurfer
    • Like
    • +Reputation
QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord
Replies
2
Views
1,421
News Archive
Xeno1234
Xeno1234

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top