Active DirectoryBeing Targeted By Malware Called TrickBot

The malware named TrickBot has some new tricks up its sleeves.

Recently, a new strain of the malware was spotted in the wild with new capabilities that allow it to target the Active Directory database stored on compromised Windows domain controllers.

Active DirectoryBeing Targeted By Malware Called TrickBot

While TrickBot has never been seen as one of the most dire threats in the malware universe, this new functionality does make it dangerous.

Domain administrators need to be aware of the dangers associated with hackers gaining access to and exploiting Active Directory. The directory stores user names, password hashes, computer names, groups, and a variety of other sensitive data.

To understand how TrickBot manages this feat, it’s important to dig into a few technical details. For example, when a server is promoted as a domain controller, the Active Directory database is created and saved on that machine in the c:WindowsNTDS folder. One of the files contained in this folder is ntds.dit, which is the specific file that contains all of the Active Directory services information.

Given the sensitivity of this information, Windows encrypts the data using a BootKey, which is stored in the System hive of the Registry. Since ntds.dit is opened by the domain controller, it’s not possible for any external process to access the data it contains. Although Windows Domain Controllers have a tool called ntdsutil that allows administrators to perform maintenance on the database.

TrickBot gets around this by taking advantage of the “Install from Media” command into the %Temp% folder, where it can be compressed and sent to a command and control server controlled by the hackers. Once they’ve got their hands on the file itself, it’s easy enough to crack it open to get what’s inside. That of course, spells trouble for the organization that owns the server.

All that to say, if TrickBot isn’t currently on your radar, it deserves a spot there. Its new capabilities make the malware significantly more dangerous.

Used with permission from Article Aggregator

Posted in

Philipp Baumann

Philipp founded BoomTech after moving to the United States from Switzerland at the age of 24. His clients say he operates his business like a “Swiss Clock!” because he has a very detail-oriented process that allows him to come up with a technology solution to his client’s problems no matter what it takes.

Hear from Philipp Baumann, owner and founder of BoomTech:

video-form
  • This field is for validation purposes and should be left unchanged.