Quote:The TrickBot trojan is continuing its bounce-back from an autumn takedown, recently adding a network-scanning module that uses the Masscan open-source tool to look for open ports.
Masscan is a mass TCP/IP port scanner, which can scan the entire internet in under five minutes according to its authors, transmitting 10 million packets per second of data from a single machine. The TrickBot module that uses it, dubbed “masrv,” is likely used for network reconnaissance, according to researchers at Kryptos Logic.
The module arrives as either a 32-bit or 64-bit DLL library, depending on the Windows OS version of the victim machine the bot is running on. Once installed, it makes requests to the command-and-control server (C2) for a list of IP address ranges to scan, followed by port range, that it can pass as parameters to Masscan. The C2 also communicates the frequency for sending results and the transmission rate.
“At first, the module makes GET requests for information from the commands ‘freq,’ ‘domains’ and ‘rate,'” Kryptos Logic researchers explained in a Monday blog posting. “If successful, the module executes Masscan’s main function routine, which is compiled within the DLL.”
Read more: https://threatpost.com/trickbot-port-sca...le/163615/
![[-]](https://www.geeks.fyi/images/collapse.png)
