The malware named TrickBot has some new tricks up its sleeves. Recently, a new strain of TrickBot malware targeting Active Directory was spotted in the wild. This new variant comes with capabilities that allow it to specifically target the Active Directory database stored on compromised Windows domain controllers.
While TrickBot has never been considered one of the most dangerous malware threats, this new functionality significantly increases its risk level.
Domain administrators need to be aware of the dangers associated with hackers gaining access to and exploiting Active Directory. The directory stores critical information such as user names, password hashes, computer names, groups, and various other sensitive data.
To understand how TrickBot manages this feat, it’s important to dig into a few technical details. For example, when a server is promoted as a domain controller, the Active Directory database is created and saved on that machine in the c:WindowsNTDS folder. One of the files contained in this folder is ntds.dit, which is the specific file that contains all of the Active Directory services information.
Given the sensitivity of this information, Windows encrypts the data using a BootKey. This BootKey is stored in the System hive of the Registry. Since ntds.dit is opened by the domain controller, external processes cannot access its data. However, Domain Controllers have a tool called ntdsutil that lets administrators perform maintenance on the database.
TrickBot malware targeting Active Directory
bypasses this protection. It exploits the “Install from Media” command and moves the data into the %Temp% folder. From there, it can be compressed and sent to a hacker-controlled command and control server. Once the hackers have the file, they can crack it open to access the data. This creates serious risks for the organization that owns the server.
If TrickBot malware targeting Active Directory isn’t on your radar, it should be. Its new capabilities make it a significantly more dangerous threat.
Used with permission from Article Aggregator