{
	"id": "074ace1b-caed-41ba-8f8f-8d3799cfc1ea",
	"created_at": "2026-04-06T00:08:49.445761Z",
	"updated_at": "2026-04-10T03:21:18.970069Z",
	"deleted_at": null,
	"sha1_hash": "5934af99e66c4dc4eacee303b0d3569e1430e8d3",
	"title": "Trickbot’s New Reconnaissance Plugin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 937358,
	"plain_text": "Trickbot’s New Reconnaissance Plugin\r\nPublished: 2018-04-09 · Archived: 2026-04-05 14:22:17 UTC\r\nFortiGuard Labs has found a new plugin named networkDLL that is being distributed to the victims of the\r\nTrickbot Trojan. This new plugin is similar to the old DomainGrabber plugin discovered late last year in that they\r\nboth try to collect information about the victim’s network. In fact, we have observed the same functions being\r\nused by both plugins.\r\nThe key difference between these two plugins lies in the type of information they gather. In the past,\r\nDomainGrabber focused on obtaining domain credentials and configurations from domain controllers by\r\naccessing shared SYSVOL files. networkDLL, on the other hand, focuses on mapping out the victim’s network\r\nand getting to know more about the victim’s local system. Which means that it’s essentially a reconnaissance stage\r\nplugin, which is very common with multi-staged APT (Advanced Persistent Threat) attacks. In this stage, threat\r\nactors gather as much information as they can to determine what type of follow-on attacks are appropriate for the\r\ntargeted system.\r\nAs is common with Trickbot plugins, networkDLL does not have any obfuscations, as can be seen in the following\r\nimage of the library’s main routine:\r\nFigure 1. The plugin’s main routine\r\nIt starts out by listing all the processes currently running in the machine. After that, the following basic\r\ninformation about the system’s operating system is gathered:\r\n·       CSName (Computer Name)\r\n·       Caption (Description)\r\n·       CSDVersion (Service Pack)\r\n·       OSArchitecture\r\n·       ProductType (Workstation, Domain Controller, Server)\r\nhttps://www.fortinet.com/blog/threat-research/trickbot-s-new-reconnaissance-plugin.html\r\nPage 1 of 7\n\n·       BuildType\r\n·       WindowsDirectory\r\n·       SystemDirectory\r\n·       BootDevice\r\n·       SerialNumber\r\n·       InstallDate\r\n·       LastBootUpTime\r\n·       RegisteredUser\r\n·       Organization\r\n·       TotalVisibleMemorySize\r\n·       FreePhysicalMemory\r\nIn acquiring this basic network information about the victim’s network information, the following Windows native\r\nshell commands are executed in the system:\r\n·       “ipconfig /all” – show all adapter TCP/IP configurations\r\n·       “net config workstation” – shows what domain/workgroup the machine belongs to\r\n·       “net view all” – display all available network shares\r\n·       “nltest /domain_trusts /all_trusts” - list all trusted domains in the network\r\nFurthermore, by using the IADsADSystemInfo interface the malware attempts to retrieve the following\r\ninformation:\r\n·       User Name\r\n·       Computer Name\r\n·       Site Name\r\n·       Domain Short Name\r\n·       Domain DNS Name\r\n·       Forest DNS Name\r\n·       Domain Controller DNS Name\r\n·       Forest Trees\r\nhttps://www.fortinet.com/blog/threat-research/trickbot-s-new-reconnaissance-plugin.html\r\nPage 2 of 7\n\nFigure 2. Retrieving the AD system info\r\nFinally, it further expands its view of the victim’s network by enumerating all visible domain controllers. By using\r\nGlobal Catalogue and LDAP queries it is able to list all computers and user accounts in both the Forest and\r\nDomain levels. \r\nhttps://www.fortinet.com/blog/threat-research/trickbot-s-new-reconnaissance-plugin.html\r\nPage 3 of 7\n\nFigure 3. Gathering AD computer and user accounts\r\nThe following are the attributes that are gathered from the computer and user objects:\r\nComputer:\r\n·       Cn (Common Name)\r\n·       dNSHostname\r\n·       distinguishedName\r\n·       description\r\n·       operatingSystem\r\nUser:\r\n·       sAMAccountName\r\n·       mail\r\n·       comment\r\n·       description\r\nTo retrieve the above information, this plugin uses the Active Directory Service Interface (ADSI) APIs to query\r\nthe attributes for both computer and user accounts.\r\nhttps://www.fortinet.com/blog/threat-research/trickbot-s-new-reconnaissance-plugin.html\r\nPage 4 of 7\n\nFigure 4. Retrieving computer account attributes\r\nFigure 5. Retrieving user account attributes\r\nhttps://www.fortinet.com/blog/threat-research/trickbot-s-new-reconnaissance-plugin.html\r\nPage 5 of 7\n\nConclusion\r\nAlthough this plugin does not currently have the capability to perform an actual attack, the sensitive information\r\nthat it gathers provides a wide surface that threat actors can utilize for future operations. For instance, they can use\r\nthe network information to initiate additional lateral movement techniques beyind from EternalRomance exploit\r\nthat was previously used in Trickbot’s tabDll plugin, as discussed in BleepingComputer’s article. By adding this\r\nscheme to the malware’s imminent move to implementing a screen locker module, considerable damage to a target\r\nis a real possibility.\r\nSolution\r\nThe trickbot loader and this new plugin are already detected as W32/Trickbot.KAD!tr.pws by Fortiguard Antivirus\r\nservice.\r\nAll the C2 servers found are already blocked and categorize as malicious by our Web Filtering service.\r\nIOC\r\nFiles\r\n6a6e190459768d3eb0c0a40c3883fba0fc3de5d8c1f19410eb9233c482139e46 (Trickbot Main) –\r\nW32/Trickbot.KAD!tr.pws\r\na9608bb65b33abaaa3b9f94981cff7b1b76dfb6be5a30b84c2dec46e90521e13 (networkDll) -\r\nW32/Trickbot.KAD!tr.pws\r\nC2\r\n109.95.113.130:449\r\n87.101.70.109:449\r\n31.134.60.181:449\r\n85.28.129.209:449\r\n82.214.141.134:449\r\n81.227.0.215:449\r\n31.172.177.90:449\r\n185.55.64.47:449\r\n78.155.199.225:443\r\n185.159.129.31:443\r\n194.87.237.178:443\r\nhttps://www.fortinet.com/blog/threat-research/trickbot-s-new-reconnaissance-plugin.html\r\nPage 6 of 7\n\n82.146.60.85:443\r\n185.228.232.139:443\r\n195.54.163.29:443\r\n94.250.248.130:443\r\n94.103.82.217:443\r\n91.235.128.14:443\r\n-= FortiGuard Lion Team =-\r\nCheck out our latest Quarterly Threat Landscape Report for more details about recent threats.\r\nSign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.\r\nSource: https://www.fortinet.com/blog/threat-research/trickbot-s-new-reconnaissance-plugin.html\r\nhttps://www.fortinet.com/blog/threat-research/trickbot-s-new-reconnaissance-plugin.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/trickbot-s-new-reconnaissance-plugin.html"
	],
	"report_names": [
		"trickbot-s-new-reconnaissance-plugin.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434129,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5934af99e66c4dc4eacee303b0d3569e1430e8d3.pdf",
		"text": "https://archive.orkl.eu/5934af99e66c4dc4eacee303b0d3569e1430e8d3.txt",
		"img": "https://archive.orkl.eu/5934af99e66c4dc4eacee303b0d3569e1430e8d3.jpg"
	}
}