PowerTrick backdoor used to target high-value businesses

The Russia-based threat actors behind the TrickBot malware appear to be turning to a new fileless backdoor dubbed PowerTrick as they seek out higher value organisations to target, according to research by threat intelligence experts at SentinelLabs.

In a recently published paper, researchers Vitali Kremez, Joshua Platt and Jason Reeves said that TrickBot – which is one of the more widespread strains of malware and a descendant of Dyre – was at first mostly focused on banking fraud, but has now shifted focus to enterprise environments, incorporating more techniques such as network profiling, mass data collection and incorporation of lateral traversal exploits.

“This focus shift is also prevalent in their incorporation of malware and techniques in their tertiary deliveries that are targeting enterprise environments; it is similar to a company where the focus will shift depending on what generates the best revenue,” said Kremez.

The PowerTrick tool – one such technique – is now being used for stealthiness, persistence and reconnaissance in high-value targets such as financial institutions, said SentinelLabs.

Reflecting the age-old maxim of quality over quantity, higher value targets have become a key focus of organised cyber criminal groups in recent months, while overall malware volumes have been seen declining by some sector observers. The ongoing Travelex ransomware crisis which has caused chaos in the foreign exchange sector is likely such a targeted attack.

In this case, SentinelLabs researchers revealed that at least some PowerTrick infections kicked off as a PowerShell task through a run-of-the-mill TrickBot infection, using a repurposed backconnect module called NewBCtest that can accept commands to execute.

The end goal of this is to bypass existing restrictions and cyber security controls to spread malware and harvest credentials and other data on highly-protected networks, possibly including air-gapped ones.

The actors are also using other PowerShell utilities to accomplish various tasks – SentinelLabs noted they were frequently using letmein.ps1, a Powershell stager for the Metasploit open source exploitation framework.

Kremez said that many of the group’s offensive tools were able to remain largely undetected because they are only used for a short period of time for targeted post-exploitation purposes, such as lateral movement in the target network.

PowerTrick in particular is highly flexible and effective, which lets the TrickBot group augment their attacks on the fly and stay hidden, as opposed to using more open source systems such as Powershell Empire, which can be easier to detect.

SentinelLabs has released some mock command-and-control panels to let at-risk groups test detections related to the PowerTrick backdoor, which are available to download on GitHub.