Recently, the Trickbot Trojan has added a new network scanning module to scan local network systems with open ports for quick lateral movement. The module uses the Masscan open-source tool to look for open ports with lightning-fast results.
Masscan is a mass TCP/IP port scanning product, which can scan the entire internet in very short time transmitting 10 million packets per second of data from a single machine. Use of this product might indicate an attempt to collect data regarding the target network, and use it for future attacks. According to researchers at Kryptos Logic, the TrickBot module uses the tool for network reconnaissance. The Trickbot operators can use these open ports to deploy other modules and move laterally to infect new systems.
The module arrives as either a 32-bit or 64-bit DLL library, depending on the Windows OS version of the victim machine the bot is running on. Once installed, it makes requests to the command-and-control server (C2) for a list of IP address ranges to scan, followed by port range, so that it can pass as parameters to Masscan. The additional module for the local network reconnaissance indicates that the Trickbot malware operators are eager to infect more systems with sophisticated tricks in recent future.