New TrickBot Module Bruteforces RDP Connections, Targets select Telecommunication Services in US and Hong Kong, (Mar 18, 2020)
A new module has been discovered in the TrickBot trojan by Bitdefender researchers that allows for Remote Desktop Protocol (RDP) bruteforcing capabilities. At the time of discovery, this module called rdpScanDll, is being employed in targeted campaigns against telecommunication, education and financial services based in the US and Hong Kong. Trickbot has been around since 2016 focusing on credential harvesting primarily in the financial industry and is suspected to have originated from Russia.
Recommendation: Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled since Trickbot is commonly sent in malspam.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.