The Steam Connection Beta

Trickbot Now Capable of Stealing Windows Active Directory DataByNovak Bozovic-January 24, 2020.469 It now has a Windows Active Directory module that steals sensitive information and credentials. Given that Trickbot is built to spread this actively it can have very serious long-term consequences. It is not uncommon for breeds of malware to develop at a fast pace. We wrote about sLoad 2.0 (Starsload) malware a couple of days ago that jumped in its evolution in under a month. Events such as this one are therefore quite often found by experts in cybersecurity. One such type of malware is called Trickbot, and over the last few months we have been tracking its rapid evolution. Back in December 2019, the Active Directory database stored on a compromised Windows domain controller recorded scammers using Trickbotpass through email spam filters in combination with legitimate cloud service. Trickbot’s new advanced function affects a file called ‘ ntds.dll. ‘ The file will be created automatically once a server is elevated as a domain controller which also means that the Active Directory database will be generated during this process. In C:WindowsNtds the file ‘ ntds.dll ‘ is saved by default. The file in question is in reality a database containing lots of sensitive information related to Active Directory services including usernames and computer group passwords and more. This file is encrypted by default via a BootKey due to its existence, and can only be opened by the domain controller. Figure 1 The Order ‘ ntdsutil ‘-BleepingComputer Photo Thanks. The domain controller uses a tool called ‘ ntdsutil ‘ to open and edit the ntds.dll script. One of the possible commands admins can execute is the ‘ ifm ‘ command which creates an Active Directory dump that can later be used to automate the installation media creation process. And this is precisely where the new module Trickbot comes into play. Based on the information provided by Sandor Nemes who first discovered this function, the Adll module of Trickbot will create a temporary copy of the Active Directory database to compress it and then exfiltrate the files back to the servers of the attacker. The intruder will decrypt the Active Directory by accessing these files and steal any kind of sensitive information stored there. It is clear that this manipulation of the Active Directory can have serious consequences as it is possible to exfiltrate a lot of sensitive information. This is still a new technique that could take some time to be thoroughly investigated and avoided. While one of the suggested tools is Huy Kha’s ‘ Attacking Active Directory for Fun and Profit ‘ which gives a glimpse into different methods of exfiltrating data from the Active Directory.