Familiar trojan learns new trick: Stealing Active Directory data

The TrickBot trojan has been around for a while, first identified in 2016. Once it’s in a target system, it uses a variety of modules that it can download to gain specific capabilities. A security researcher recently discovered that a new TrickBot module, called “ADll”, allows the trojan to find, access and exfiltrate Active Directory databases stored on Windows domain controllers. 

This adds a pernicious capability, with elevated risks, to an already highly capable cyber threat.

Multi-capable malware

TrickBot (aka TrickLoader, Trickster) is the product of a decade-plus of threat evolution. It was originally designed to steal online banking data, with an ever-changing list of online banking websites to attack. But as it’s evolved, its modular nature has given it a growing list of capabilities, and it’s being used to target victims in multiple industries. It’s frequently used to infiltrate Ryuk ransomware, but that is far from all it can do.

As a comprehensive technical report from the US Cybersecurity and Infrastructure Security Agency (CISA) puts it: 

“TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting (Reconnaissance [TA0043]), to trying to manipulate, interrupt, or destroy systems and data (Impact [TA0040]).”

Just some of its many capabilities:

• Email and browser data theft

• Cryptocurrency theft targeting coinbase.com 

• EternalBlue exploit for lateral movement

• Real-time config via Command and Control Server (C2) 

• Disabling security controls

• Encrypting data (Ryuk malware) 

Mitigating Active Directory data risk

There are multiple specific risks that come from the use of the ADll module to identify and exfiltrate and/or destroy Active Directory data. 

In the first place, it gives attackers the ability to use stolen credentials to much more rapidly expand access and discover targets within your network. This means you have much less time to detect and block that activity before a payload such as ransomware is detonated.

In addition, it enables impersonation, business email compromise, conversation hijacking, and other types of attacks that can lead to costly fraud as well as data loss. 

In the case of Active Directory data being destroyed (while possibly also being stolen), the disruption of your organization’s ability to operate would be severe and costly — and would likely take days or weeks to address fully.

Finally, it adds to the already burgeoning underground market in stolen network credentials and other identifying data. As I’ve said before in this space, we sometimes call this the “post-breach” era because of the incredibly vast number of stolen data records (including “fullz”) that are already out there, available to the highest bidder. 

The best way to mitigate these risks is with a multilayer, comprehensive security solution that combines:

• Zero-trust architecture to reduce the risk of unauthorized network access using stolen credentials. This is significantly more effective than multifactor authentication (MFA).

• Advanced monitoring of intra-network data and communications traffic, leveraging the power of machine learning and artificial intelligence to detect anomalies and potential threats.  

• Modern, cloud-based backup that protects Active Directory data and enables fast, reliable data recovery and restoration.

Check out Barracuda Email Protection and see how to get these and other capabilities in a single, integrated, easy-to-use platform.