Notorious Trickbot malware may have some new tricks up its sleeve

News
By
published

Security researchers note new infrastructure and new functionality

Bad Bots
(Image credit: Gonin / Shutterstock)

Cybersecurity researchers have detected a significant increase in the activity of the infamous Trickbot malware, with a large number of new command and control (C2) centers deployed around the world, as well as a new module for monitoring and intelligence gathering.

Trickbot, which has been used to perpetrate all types of financial cyber attacks including the delivery of ransomware, was at the receiving end of a massive campaign by cyber sleuths last year.

However, researchers from Bitdefender, who have been tracking Trickbot, have recently picked up a resurgence in the activity of the malware, with new infrastructure and new capabilities.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

“During our investigation we also stumbled on an additional tool used by the Trickbot group to facilitate the access of other threat actors to the victims’ computers,” note the researchers in their analysis.

Rising from the ashes

After last year’s take down attempt, the Trickbot group appears to have been recuperating, and based on Bitdefender’s observations, looks all set to get back into action.

Bitdefender first picked up an updated version of the vncDll module that Trickbot uses against select high-profile targets, a couple of months back in May 2021. Now known as tvncDll, the actively developed module will now be used by Trickbot for monitoring and intelligence gathering purposes.

“This module, vncDll/tvncDll, uses a custom communication protocol, which only makes it harder to understand what data is being transmitted without prior knowledge,” says Bitdefender as it unravels the groups’ new activity.

The new module interacts with one of the nine C2 servers defined in its configuration file. According to Bitdefender’s research, the C2 servers send additional malware payloads, and also facilitate the exfiltration of sensitive data from the victim’s machine. 

The malware now also has a password dumping functionality and “is in active development, with multiple weekly updates,” according to Bitdefender.

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
Hands typing on a keyboard surrounded by security icons
Infostealers on the rise: the latest concern for organizational defenses
Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
Latest in News
Apple&#039;s Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Lego Mario Kart – Mario &amp; Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
More about security
botnet

YouTubers targeted by blackmail campaign to promote malware on their channels
A hacker wearing a hoodie sitting at a computer, his face hidden.

Experts warn this critical PHP vulnerability could be set to become a global problem
Vodafone logo outside a store in Sydney

Vodafone employees could lose bonuses if they’re not in office 8 days per month
See more latest
Most Popular
Vodafone logo outside a store in Sydney
Vodafone employees could lose bonuses if they’re not in office 8 days per month
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Ryzen AI Max+ 395
Race to launch most powerful AI mini PC ever heats up as GMKTec confirms Ryzen AI Max+ 395 product for May 2025
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
Apple&#039;s Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Whirlwind I Computer
Happy birthday, Director! The first operating system in the world turns 70 today
Lego Mario Kart – Mario &amp; Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
Tesla Model 3
Tesla's EV sales are plummeting – as used Model Y and Model 3 prices crash to bargain levels
TCL QM7K TV on orange background
TCL’s big, bright new mid-range mini-LED TVs have built-in Bang & Olufsen sound