The most recent version of the TrickBot banking trojan now includes a screenlocker component, suggesting the malware's operators might soon start holding victims for ransom if infected targets don't appear to be e-banking users.
The good news is that the screenlocker mechanism is not fully functional just yet, and appears to still be under development.
Nonetheless, security researchers have spotted the new module dropped on victims' computers, suggesting development is advanced enough to have reached field trials.
The screenlocker module is part of one of the many files that TrickBot drops on victims computers. First sightings of this new TrickBot module date back to last week, March 15.
TrickBot, while known for being primarily a banking trojan, has evolved in recent years to become a "malware dropper."
TrickBot authors infect victims with an initial malware strain that is specialized in downloading various TrickBot modules —which are responsible for various operations. Previous known modules include the actual banking trojan (the browser injector), but also a module that sends email spam from infected hosts, and an SMB self-replicating worm for moving laterally inside larger networks.
On March 15, the initial TrickBot dropper started downloading a file named tabDll32.dll (or tabDll64.dll) that dropped three other files named:
Spreader_x86.dll - TrickBot module that attempts to spread to other computers on the same network via SMB by leveraging EternalRomance and possibly other exploits patched by the MS17-010 security patch.
SsExecutor_x86.exe - TrickBot module used together with the first, meant to run after the initial compromise. Module also establishes boot persistence on the compromised computer.
ScreenLocker_x86.dll - TrickBot module that locks the infected computer's screen. It does not encrypt files. Module non-functional.
Interesting PDB references in TrickBot's new module. pic.twitter.com/z5Q40ZOqlm— MalwareTech (Research) (@MalwareTechLab) March 21, 2018
The thing that stands out is the fact that TrickBot already had an SMB self-spreading worm component since the summer of 2017, dropped as a file named wormDll32.dll.
All the three files dropped via this newly discovered module appear to be designed to work together, one after the other, ignoring the original worm component, and with the screenlocker triggered after spreading laterally through a network.
This has led security researchers to believe that this module was developed as a one-click method to monetize infections in corporate networks where users are less likely to use e-banking services, independently from the original SMB worm.
"If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model," says Jason Davison, Advanced Threat Research Analyst for security firm Webroot.
"It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks," Davison adds. "On a corporate network, where users are unlikely to be regularly visiting targeted banking URLs, exfiltrating banking credentials is a less successful money-making model compared to the locking of potentially hundreds of machines."
While there have been no file encryption operations observed in current versions, this doesn't mean the current module won't receive further updates to exhibit the behavior of a fully functional crypto-ransomware.
File hashes for the new TrickBot modules are available in a Webroot report, here.