Security News TrickBot's Screenlocker Module Isn't Meant for Ransomware Ops

Faybert

Level 24
Thread author
Verified
Top Poster
Well-known
Jan 8, 2017
1,318
The screen-locking feature added to a popular banking trojan was never intended to be used for ransomware-like operations, researchers from Fortinet revealed on Monday.

The banking trojan in question is TrickBot, and the screenlocker component was first seen at the end of March by multiple security firms and independent researchers.

Initially, researchers believed the TrickBot authors were in the first phases of deploying a screen-locking component that would transform the malware into a dual threat —of banking trojan and ransomware combined.

At the time, there was no support for file encryption operations, and researchers believed this was because they caught an early version of this particular module, expecting newer versions to roll out in the following weeks.
Screenlocker module used for password theft
But with no new versions of this module being spotted in the wild, and after intensive analysis, Fortinet researchers revealed the screen-locking component has nothing to do with ransoming operations and instead is part of TrickBot's password-stealing exploitation chain.

Recent versions of the TrickBot banking trojan leverage the Mimikatz password-dumping tool to steal WDigest credentials from a Windows computer's LSA memory, where they are stored in plaintext.
......
......
......
Screenlocker module active for Windows 8 or later only
"This function is only executed on Windows 8/Server 2012 or newer versions," Fortinet said about the screenlocker module's usage.
This is because Microsoft introduced the registry key with a default value of "0" (that disables WDigest) with the release of Windows 8.1 and later OS versions.
....
....
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top