Cybersecurity researchers discovered a new module of the Trickbot malware, dubbed ‘masrv’, that is used to scan a local network and make lateral movement inside the target organization.
The masrv module leverage the Masscan open-source utility for local network scanning, it is used to search for other devices with open ports that can be compromised.
Once infected a device, the masrv is used to drop the component and send a series of Masscan commands to scan the local network and send the scan results back to the C2 server.
The bot scans the network for systems with sensitive or management ports left open inside an internal network, then botnet operators can then deploy other modules for lateral movements.
“Recently we have discovered a relatively new module that goes by the name masrv. The module is a network scanner that incorporates the Masscan open-source tool. Additionally, the module contains an unreferenced Anchor C2 communication function and a list of hardcoded IPs which have previously been associated with Anchor and Bazar.” reads the analysis published by Kryptos Logic. “We believe this module is used as one of Trickbot’s network reconnaissance tools to gather more information about the victim’s network.”
The recent module was compiled on December 4, 2020, but experts have yet to observe its use in the wild.
The researchers speculate the module is still under testing, the effort demonstrates that the authors of the malware are improving the Trickbot code after the recent takedown.
Kryptos Logic published a detailed analysis of the new masrv module that also includes indicators of compromise and Yara rules.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Trickbot)