Malware analysis

Nworm malware: What it is, how it works and how to prevent it | Malware spotlight

Chris Sienko
November 11, 2020 by
Chris Sienko

Introduction

In April 2020, the creators of the TrickBot malware released a module for TrickBot called Nworm. TrickBot is a banking Trojan that targets Windows machines. It was developed in 2016 and its creation was inspired by another banking Trojan named Dyreza. TrickBot has the capacity to target a wide array of international banks via webinjects. It can also steal bitcoin from bitcoin wallets.

TrickBot comes together with modules. Each of them is responsible for the conduct of specific malicious activities. For example, some modules are responsible for propagation, others for encryption of stolen information or for stealing credentials. 

In this article, we will describe the operation of one particular module, Nworm. We also provide recommendations on how to prevent an infection with a Nworm-loaded TrickBot. 

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

The operation of Nworm

Nworm evolved from and replaced Mworm, a module transferring an unencrypted version of the TrickBot executable to a vulnerable domain name controller. Since the executable was not encrypted, anti-malware software applications were able to easily detect and remove Mworm once it is copied to the targeted computer. The creators of TrickBot decided to “improve” Mworm in such a way as to make it harder to be detected. The new version of Mworm became known as Nworm.

Nworm transfers an encrypted version of the TrickBot executable. Furthermore, the malware is executed and operated from the memory; thus, Nworm does not leave traces that can be used for its detection. However, TrickBot cannot survive a restart of the infected system, as such a restart usually deletes most of the information stored in the computer memory.

The HTTP traffic for follow-up TrickBot EXEs is different from the traffic caused by Mworm. More specifically, the Mworm-related URL for TrickBot EXE ends with /images/redcar.png, while the Nworm-related URL for TrickBot EXE ends with /ico/VidT6cErs. In regards to Mworm, the follow-up TrickBot EXE is sent back unencrypted in the HTTP traffic. This is not the case with Nworm, where the followup TrickBot EXE returns as an encrypted or otherwise encoded binary in the HTTP traffic.

The “symptoms” of an infection with a Nworm-loaded TrickBot may include slowing down the operation of the web browser, the appearance of certain unknown tasks in the computer task manager and connecting to remote hosts without the content of the relevant device.

Prevention of the infection with a Nworm-loaded TrickBot

The prevention of a Nworm-loaded TrickBot needs to include at least three components: namely, updating the Microsoft Windows operating system, installing up-to-date anti-malware and using threat prevention platforms. These three components will be examined in more detail below.

Updating Microsoft Windows

The Microsoft developers constantly identify security issues related to Microsoft Windows and develop fixes for such security issues. The fixes are available to Windows users through the “Windows update” functionality. 

Microsoft quickly identified TrickBot and related modules and included it in the malware list of the Microsoft Defender Antivirus (MDA). To ensure that MDA will detect a Nworm-loaded TrickBot, it is better to open “Virus & threat protection settings” and start the following functionalities: cloud-delivered protection and automatic sample submission.

Installing up-to-date anti-malware

Although the MDA provides good protection against malicious software, the installation of additional anti-malware programs may increase the chance of detecting a Nworm-loaded TrickBot. For example, the Palo Alto Threat Prevention platform has the capacity to scan “all traffic – applications, users, and content – across all ports and protocols” and detect the presence of Nworm. It conducts the automatic anti-malware checks and automatically blocks known malware.

Using threat prevention platforms

Threat prevention platforms collect information security-related intelligence from all over the world and provide their users with the opportunity to take measures against new threats before being impacted by those threats. 

Taking into account the transformation of Mworm in Nworm, we can expect a new module called “Oworm.” Users of threat prevention platforms will be able to learn about the existence of Oworm before being affected by it, thus increasing their chance to take preventive information security measures. In the field of cybersecurity, prevention is usually better than remediation.

The threat prevention platform AutoFocus developed by information security researchers at Palo Alto Networks allows its users to track TrickBot activities by using a “TrickBot tag.” Thus, it is a powerful tool for prevention of TrickBot infections.

Conclusion

The modular nature of TrickBot allows it to rapidly evolve towards a stealthier version. While Mworm was spreading its malicious payload in an unencrypted form on the hard drive of the infected computer, Nworm delivers an encrypted version of TrickBot executable in the memory of the infected computer. Therefore, taking into account the “invisibility” of this type of malware, special preventive measures need to be taken with regard to it. In this article, we proposed three such measures which, if applied correctly, will greatly reduce the likelihood of infection.

If no measures are taken and an infection with TrickBot occurs, this may have a tremendous impact on the affected bank. In an article entitled “Smart Wallets on Blockchain – Attacks and Their Costs,” three information security researchers estimated that the damage can range from $100 million to $10 billion.

 

Sources

Nworm: TrickBot gang’s new stealthy malware spreading module, BleepingComputer

Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module, Unit 42

Trojan.TrickBot, Malwarebytes Labs

Win32/Trickbot, Microsoft

Tomorrow's operations depend on unrivaled threat intelligence, today, PaloAlto Networks

Pillai, A., Saraswat, V., Arunkumar, V.R., “Smart Wallets on Blockchain – Attacks and Their Costs,” Smart City and Informatization: 7th International Conference, November 2019

Chris Sienko
Chris Sienko