Trickbot makes a comeback with its VNC module for high-value targets

Despite law enforcement actions intended at eliminating the Trickbot botnet, it continues to evolve. The creators recently released an upgrade for the VNC module, which is used to control infected systems remotely.



Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security subsidiary Symantec joined hands in October and launched a concerted operation to shut down the famed TrickBot botnet’s command and control infrastructure.


Despite the fact that Microsoft and their partners pulled the TrickBot infrastructure down, its operators sought to restart operations by developing new command and control (C&C) servers online.



Following the takedown, the TrickBot malware’s creators made a number of changes to make it more resilient.



Trickbot attack chain



TrickBot is a well-known banking Trojan that has been operating since October 2016, and its creators have kept it updated by adding new functions.


The botnet is still available via a multi-purpose malware-as-a-service (MaaS) model.


Threat actors use the botnet to distribute malware like Conti and Ryuk, which steals personal information and encrypts it.


More than a million machines have been compromised by the Trickbot botnet so far.


Threat actors’ most common attack chain starts with EMOTET spam campaigns, which subsequently load TrickBot and/or additional loaders.


Trickbot activity grew to the point where, by May, it was the most common malware on Check Point’s radar.


Trickbot has been the most popular malware in the threat landscape since Emotet’s operations were disrupted.


Researchers from Bitdefender discovered a new version of Trickbot’s VNC module (vncDLL) that was used in assaults against high-profile targets.


“In May 2021, our systems started to pick up an updated version of the vncDll module that Trickbot uses against select high-profile targets. This module, known as tvncDll, is used for monitoring and intelligence gatheringIt seems to be still under development, since the group has a frequent update schedule, regularly adding new functionalities and bug fixes.” states the report published by BitDefender.


The creators modified the Trickbot module tvncDLL, which is used by the botnet to monitor the victim’s activity and gather information. Since its discovery on May 12, the module looks to be in development and has been updated often.


Researchers also saw an increase in the number of C2 centers deployed around the world; the majority of C2 servers are now located in North America (54), with France trailing behind (7).


This module, vncDll/tvncDll, interacts with C2 servers, which function as mediators between victims and attackers using a custom communication protocol.


The list of C2 servers is defined in the vncconfand configuration file, which has a list of up to nine IP addresses that allows victims behind firewalls access.


Trickbot can be stopped and unloaded from memory using the VNC component. The module provides a virtual desktop with a custom interface when an operator initiates communication.


When an operator initiates communication, the VNC module creates a virtual desktop with a custom interface. The component can also halt and unload the bot from memory.


Operators can use Cmd.exe to perform a variety of high-impact PowerShell activities, such as:

  • download additional payloads to distribute the malware further over the network
  • Open a variety of documents or the email inbox
  • Data from victims’ PCs is uploaded to command-and-control servers


Experts also described a tool called Native Browser, which adds a password-stealing capability and is currently in development.


Indicators of compromise for recent infections are also included in BitDefender’s report.


You might also like:

TrickBot botnet deploying a new Diavol ransomware

Latvian woman charged for developing trickbot banking malware