The malware named TrickBot has some new tricks up its sleeves. Recently, a new strain of the malware was spotted in the wild with new capabilities that allow it to target the Active Directory database stored on compromised Windows domain controllers.
While TrickBot has never been seen as one of the most dire threats in the malware universe, this new functionality does make it dangerous.
Domain administrators need to be aware of the dangers associated with hackers gaining access to and exploiting Active Directory. The directory stores user names, password hashes, computer names, groups, and a variety of other sensitive data.
To understand how TrickBot manages this feat, it’s important to dig into a few technical details. For example, when a server is promoted as a domain controller, the Active Directory database is created and saved on that machine in the c:WindowsNTDS folder. One of the files contained in this folder is ntds.dit, which is the specific file that contains all of the Active Directory services information.
Given the sensitivity of this information, Windows encrypts the data using a BootKey, which is stored in the System hive of the Registry. Since ntds.dit is opened by the domain controller, it’s not possible for any external process to access the data it contains. Although Windows Domain Controllers have a tool called ntdsutil that allows administrators to perform maintenance on the database.
TrickBot gets around this by taking advantage of the “Install from Media” command into the %Temp% folder, where it can be compressed and sent to a command and control server controlled by the hackers. Once they’ve got their hands on the file itself, it’s easy enough to crack it open to get what’s inside. That of course, spells trouble for the organization that owns the server.
All that to say, if TrickBot isn’t currently on your radar, it deserves a spot there. Its new capabilities make the malware significantly more dangerous.