Nworm malware: What it is, how it works and how to prevent it | Malware spotlight
Introduction
In April 2020, the creators of the TrickBot malware released a module for TrickBot called Nworm. TrickBot is a banking Trojan that targets Windows machines. It was developed in 2016 and its creation was inspired by another banking Trojan named Dyreza. TrickBot has the capacity to target a wide array of international banks via webinjects. It can also steal bitcoin from bitcoin wallets.
TrickBot comes together with modules. Each of them is responsible for the conduct of specific malicious activities. For example, some modules are responsible for propagation, others for encryption of stolen information or for stealing credentials.
In this article, we will describe the operation of one particular module, Nworm. We also provide recommendations on how to prevent an infection with a Nworm-loaded TrickBot.
Become a certified reverse engineer!
The operation of Nworm
Nworm evolved from and replaced Mworm, a module transferring an unencrypted version of the TrickBot executable to a vulnerable domain name controller. Since the executable was not encrypted, anti-malware software applications were able to easily detect and remove Mworm once it is copied to the targeted computer. The creators of TrickBot decided to “improve” Mworm in such a way as to make it harder to be detected. The new version of Mworm became known as Nworm.
Nworm transfers an encrypted version of the TrickBot executable. Furthermore, the malware is executed and operated from the memory; thus, Nworm does not leave traces that can be used for its detection. However, TrickBot cannot survive a restart of the infected system, as such a restart usually deletes most of the information stored in the computer memory.
The HTTP traffic for follow-up TrickBot EXEs is different from the traffic caused by Mworm. More specifically, the Mworm-related URL for TrickBot EXE ends with /images/redcar.png, while the Nworm-related URL for TrickBot EXE ends with /ico/VidT6cErs. In regards to Mworm, the follow-up TrickBot EXE is sent back unencrypted in the HTTP traffic. This is not the case with Nworm, where the followup TrickBot EXE returns as an encrypted or otherwise encoded binary in the HTTP traffic.
The “symptoms” of an infection with a Nworm-loaded TrickBot may include slowing down the operation of the web browser, the appearance of certain unknown tasks in the computer task manager and connecting to remote hosts without the content of the relevant device.
Prevention of the infection with a Nworm-loaded TrickBot
The prevention of a Nworm-loaded TrickBot needs to include at least three components: namely, updating the Microsoft Windows operating system, installing up-to-date anti-malware and using threat prevention platforms. These three components will be examined in more detail below.
Updating Microsoft Windows
The Microsoft developers constantly identify security issues related to Microsoft Windows and develop fixes for such security issues. The fixes are available to Windows users through the “Windows update” functionality.
Microsoft quickly identified TrickBot and related modules and included it in the malware list of the Microsoft Defender Antivirus (MDA). To ensure that MDA will detect a Nworm-loaded TrickBot, it is better to open “Virus & threat protection settings” and start the following functionalities: cloud-delivered protection and automatic sample submission.
Installing up-to-date anti-malware
Although the MDA provides good protection against malicious software, the installation of additional anti-malware programs may increase the chance of detecting a Nworm-loaded TrickBot. For example, the Palo Alto Threat Prevention platform has the capacity to scan “all traffic – applications, users, and content – across all ports and protocols” and detect the presence of Nworm. It conducts the automatic anti-malware checks and automatically blocks known malware.
Using threat prevention platforms
Threat prevention platforms collect information security-related intelligence from all over the world and provide their users with the opportunity to take measures against new threats before being impacted by those threats.
Taking into account the transformation of Mworm in Nworm, we can expect a new module called “Oworm.” Users of threat prevention platforms will be able to learn about the existence of Oworm before being affected by it, thus increasing their chance to take preventive information security measures. In the field of cybersecurity, prevention is usually better than remediation.
The threat prevention platform AutoFocus developed by information security researchers at Palo Alto Networks allows its users to track TrickBot activities by using a “TrickBot tag.” Thus, it is a powerful tool for prevention of TrickBot infections.
Become a certified reverse engineer!
Conclusion
The modular nature of TrickBot allows it to rapidly evolve towards a stealthier version. While Mworm was spreading its malicious payload in an unencrypted form on the hard drive of the infected computer, Nworm delivers an encrypted version of TrickBot executable in the memory of the infected computer. Therefore, taking into account the “invisibility” of this type of malware, special preventive measures need to be taken with regard to it. In this article, we proposed three such measures which, if applied correctly, will greatly reduce the likelihood of infection.
If no measures are taken and an infection with TrickBot occurs, this may have a tremendous impact on the affected bank. In an article entitled “Smart Wallets on Blockchain – Attacks and Their Costs,” three information security researchers estimated that the damage can range from $100 million to $10 billion.
Sources
Nworm: TrickBot gang’s new stealthy malware spreading module, BleepingComputer
Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module, Unit 42
Trojan.TrickBot, Malwarebytes Labs
Win32/Trickbot, Microsoft
Tomorrow's operations depend on unrivaled threat intelligence, today, PaloAlto Networks
Pillai, A., Saraswat, V., Arunkumar, V.R., “Smart Wallets on Blockchain – Attacks and Their Costs,” Smart City and Informatization: 7th International Conference, November 2019
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Nworm malware: What it is, how it works and how to prevent it | Malware spotlight
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis