TrickBot Trojan Steals Data from the Windows Active Directory
The TrickBot Trojan, a banking malware that earlier targeted the Windows Defender settings on Windows machines, has evolved into a malware that targets the Windows Active Directory. Besides, the trojan can also harvest emails and credentials using the Mimikatz tool. The creators of the threat are very active in developing it further and adding new layers upon it. Officially called Trojan.TrickBot, the malware infects module by module, piggybacking on configuration files. Each module aims for a particular area of intrusion. like gaining persistence, propagation, stealing credentials, encryption etc.
Now it is going after the Windows Active Directory, which makes it a very dangerous threat. First, let us understand how sensitive the matter really is.
1.1 What is the Windows Active Directory?
In professional environments, a machine is often connected to a network. Even if it is standalone, Windows machines support multi-user environments, thus creating a need for a user configuration management service. Windows achieves this through its Active Directory (AD) structure.
AD allows network administrators to create domains, user groups and inter-related objects within the network.
The AD contains highly critical data about users in the network. It has identifier-credential pairs, which when stolen, can give illegal access to just about anyone with the information. To protect the AD, the Windows Operating System encrypts the AD with a BootKey which is stored inside the System component of the Windows Registry. Any user/machine in the network having a valid entry in the AD is deemed to be a ‘trusted’ user. If this is compromised, then it means serious trouble.
1.2 What is the TrickBot Trojan doing?
TrickBot trojan has evolved to a new module dubbed “ADll” which can steal AD credentials. Sandor Nemes of Virus Total discovered the carefully concealed symptoms of ADll infection.
A machine in the network is designated as Domain Controller. On this DC, the AD database is saved to the C:\Windows\NTDS folder. All sensitive data in the AD is stored in a file with the title ntds.dit within this DB.
AD dumps, needed for migration, installation, and re-installation of the AD can be created through the command (install from media). DCs can be created using this command.
The ADll module abuses the ifm command to duplicate the Active Directory database. The entire database is dumped into the %Temp% folder. The bot then sends the collected information to the author. Once the author gains access to the data, he/she knows about each and every machine in the network. He/she can use this knowledge to spread the infection further or misuse the information to invite a host of other malware that are scanning for vulnerabilities.
1.3 How does the TrickBot Trojan spread?
It would be no surprise that the Trojan enters your system through email. Spam mail campaigns contain an attachment or a fraudulent URL that can trigger the trojan to activate in the background.
Therefore, as we have been emphasizing for quite some time, protect your mailbox. It is also advisable to have a scanner installed on your machine that scans attachments.
Logix’s pre-emptive approach
While dealing with malware infections, it is always easier to stop them at the gates rather than let them come in and then fight them. We understand this very well and thus, we have email security services that do just that. Our tools work on digital signatures and key encryption mechanisms that can not only expose danger, but also verify whether an email has really originated from the sender’s address as the sender claims. Along with any incoming email threat issues, we also take the required measure for the outgoing emails with DMARC so that only you can send genuine mails through your email domains.
With over 20 years of experience in the security domain, we have refined and sharpened the quality of our offerings after studying several test cases and working with people across many industries.