Nworm

Nworm is an aggressive program that is part of the infamous TrickBot infostealer. The Nworm component, in particular, has been used by the cybercriminals since April 2020. The new things that this module introduces are rather peculiar since they limit TrickBot's ability to gain persistence on the compromised system – instead, it makes the infection more silent, while sacrificing persistence entirely. Another enhancement that the Nworm component introduced is the use of a complicated encryption & decryption routine when it fetches the TrickBot payload – the previous version of the component downloaded the payload in a plain format, therefore making it much easier to identify and mitigate the attack.

Usually, infostealers try to grant themselves persistence to be able to extract more data and gain access to potentially sensitive files. However, the Nworm component eliminates this opportunity – instead, it runs the payload from the system's memory. While this prevents the threat from gaining persistence, it minimizes the footprint it leaves on the infected system – this makes it more difficult to detect the unsafe activity, as well as find evidence if the machine was compromised previously.

Usually, the lack of persistence is considered a major flaw, but this might not be a huge issue for the TrickBot Trojan if it focuses on infecting servers – unlike regular PCs, servers are shut down or restarted rarely, therefore allowing the Trojan to run for longer.

The recent updates to TrickBot and its modules show that the authors of the project are emphasizing security and detection prevention to make their payload as stealthy as possible.