{
	"id": "31ec09c3-ad6e-4ca1-9595-ca030d5ef88b",
	"created_at": "2026-04-06T00:19:32.392671Z",
	"updated_at": "2026-04-10T03:21:43.879274Z",
	"deleted_at": null,
	"sha1_hash": "d19f7c753f2e29c36fc6c9364dfb8d75fcc9c165",
	"title": "Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7447222,
	"plain_text": "Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation\r\nModule\r\nBy Brad Duncan\r\nPublished: 2020-05-28 · Archived: 2026-04-05 13:46:40 UTC\r\nExecutive Summary\r\nFirst discovered in 2016, TrickBot is an information stealer that provides backdoor access sometimes used by\r\ncriminal groups to distribute other malware. TrickBot uses modules to perform different functions, and one key\r\nfunction is propagating from an infected Windows client to a vulnerable Domain Controller (DC). TrickBot\r\ncurrently uses three modules for propagation. As early as April 2020, TrickBot updated one of its propagation\r\nmodules known as \"mworm\" to a new module called \"nworm.\" Infections caused through nworm leave no\r\nartifacts on an infected DC, and they disappear after a reboot or shutdown.\r\nOther key differences of the new nworm module include:\r\nIt retrieves an encrypted, or otherwise encoded binary, over network traffic that represents a\r\nTrickBot executable file (the old mworm module sent it as an executable file without any sort of\r\nencryption/encoding).\r\nA TrickBot infection caused by the new mworm module is run from system RAM and does not\r\nappear to remain persistent on an infected host.\r\nThis is a much better method of evading detection on an infected DC.\r\nTrickBot is a significant threat that has received high-profile coverage in recent years, and this is a notable\r\nevolution. This blog reviews TrickBot modules, and it covers characteristics of the new nworm module in greater\r\ndetail.\r\nTrickBot Modules\r\nTrickBot is modular, meaning it uses various binaries to perform different functions during an infection. In most\r\ncases, the basis of a TrickBot infection is a malicious Windows executable (EXE) file saved to disk. This EXE is\r\noften called a \"TrickBot loader\" because it loads the TrickBot modules. TrickBot modules are dynamic link\r\nlibraries (DLLs) or EXEs run from system memory. See Figure 1 for a visualization of TrickBot modules.\r\nhttps://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/\r\nPage 1 of 9\n\nFigure 1. A visual representation of TrickBot and its modules.\r\nOn an infected Windows 10 host, TrickBot modules are only found in system memory. But on an infected\r\nWindows 7 host, we also see artifacts related to the modules stored on the disk. These artifacts are encrypted\r\nbinaries. During a TrickBot infection, these encrypted binaries are decrypted and run from system memory as\r\nTrickBot modules. Figure 2 shows an example of artifacts for TrickBot modules from an infection on a Windows\r\n7 client in January 2020.\r\nFigure 2. Example of artifacts for TrickBot modules on an infected Windows 7 client.\r\nhttps://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/\r\nPage 2 of 9\n\nAs seen in Figure 2, the artifact names end with 64, meaning this host is running a 64-bit version of Windows 7. If\r\nthe infection happens on a 32-bit Windows 7 host, these artifact names would end in 32 instead of 64.\r\nFigure 2 also reveals three modules TrickBot uses to spread to a DC in an Active Directory (AD) environment.\r\nThey are:\r\nmwormDll64 (the \"mworm\" module)\r\nmshareDll64 (the \"mshare\" module)\r\ntabDll64 (the \"tab\" module)\r\nNote: The tab module has a propagation function, but it also includes different capabilities not applicable to this\r\nblog.\r\nModules for Propagation\r\nStarting in September 2019, TrickBot modules with propagation capabilities have been mworm, mshare, and tab.\r\nThey generate distinct activity when propagating to a vulnerable DC.\r\nFor the mshare and tab modules:\r\nAn infected Windows client retrieves a new TrickBot EXE using an HTTP URL.\r\nThe infected Windows client sends this new TrickBot EXE over SMB traffic to the vulnerable DC.\r\nFor the mworm module:\r\nThe infected Windows client uses an SMB exploit targeting the vulnerable DC.\r\nThe vulnerable DC retrieves a new TrickBot EXE using an HTTP URL and infects itself with it.\r\nOf note, the mworm module did not usually appear unless the TrickBot infection happened in an AD environment\r\nwith a DC.\r\nFigure 3 shows a flow chart of propagation traffic caused by these three TrickBot modules.\r\nhttps://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/\r\nPage 3 of 9\n\nFigure 3. TrickBot propagation flow chart from September 2019 through March 2020.\r\nSince February 2020, URLs generated by these modules to retrieve follow-up TrickBot EXE files used the\r\nfollowing patterns:\r\nURL generated by mshare module ends with /images/cursor.png\r\nURL generated by mworm module ends with /images/redcar.png\r\nURL generated by tab module ends with /images/imgpaper.png\r\nThese URLs use IP addresses instead of domains. Figure 4 shows an example of the traffic filtered in Wireshark\r\nfrom a pcap of a TrickBot infection in March 2020.\r\nFigure 4. HTTP GET requests caused by TrickBot’s mshare, mworm and tab modules.\r\nGoodbye Mworm: Hello Nworm\r\nhttps://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/\r\nPage 4 of 9\n\nIn April 2020 while generating a TrickBot infection in a lab environment, TrickBot stopped using the mworm\r\nmodule. In its place, a new artifact named \"nworm\" appeared on an infected Windows 7 client. Figure 5 shows an\r\nexample of this new nworm artifact.\r\nFigure 5. New nworm module found from an infection on April 24, 2020.\r\nHTTP traffic for follow-up TrickBot EXEs caused by nworm is noticeably different than traffic caused by mworm.\r\nThe differences are:\r\nmworm: URL for TrickBot EXE ends with /images/redcar.png\r\nnworm: URL for TrickBot EXE ends with /ico/VidT6cErs\r\nmworm: Follow-up TrickBot EXE is returned unencrypted in the HTTP traffic\r\nnworm: Follow-up TrickBot EXE is returned as an encrypted or otherwise encoded binary in the\r\nHTTP traffic\r\nBy using Wireshark and examining TCP streams, we can easily spot the differences in HTTP traffic caused by the\r\nold mworm module and the new nworm module. Figure 6 shows traffic from the mworm module in March 2020,\r\nand Figure 7 shows traffic from the nworm module in April 2020.\r\nhttps://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/\r\nPage 5 of 9\n\nFigure 6. TCP stream showing HTTP traffic caused by the mworm module in March 2020.\r\nFigure 7. TCP stream showing HTTP traffic caused by the nworm module April 2020.\r\nFigure 8 shows the current propagation flowchart, highlighting changes seen with the nworm module since April\r\n2020.\r\nhttps://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/\r\nPage 6 of 9\n\nFigure 8. TrickBot propagation flow chart since April 2020.\r\nLike mworm, the new nworm module does not appear unless the TrickBot infection happens in an AD\r\nenvironment with a DC.\r\nTrickBot Caused By Nworm: Not Persistent\r\nWhen nworm infects a vulnerable DC, the malware is run from memory. No artifacts are found on the infected DC\r\nand TrickBot on the DC doesn’t survive a reboot.\r\nIn cases where mshare and tab infect a vulnerable DC with TrickBot, these infections remain persistent on the DC,\r\nbut TrickBot caused by nworm is not persistent. This shouldn’t be an issue for the malware, because the DC is a\r\nserver and servers rarely shut down or reboot like a Windows client.\r\nPost-Infection Gtag from TrickBot Caused By Nworm\r\nEvery TrickBot binary has an identifier called a gtag. This is found in configuration data extracted from a\r\nTrickBot binary. Gtags can also be found in HTTP traffic during a TrickBot infection. They indicate the specific\r\ncampaign or source of infection used for a TrickBot binary.\r\nThe gtag is a short alphabetic string followed by a number representing a one-up serialization. Examples follow:\r\nmor-series gtag: TrickBot caused by an Emotet infection, for example: TrickBot gtag mor84 caused\r\nby Emotet on January 27th, 2020.\r\nono-series gtag: various TrickBot infections initiated through malicious Microsoft Office documents\r\nlike Word documents or Excel spreadsheets, distributed through English-language emails.\r\nhttps://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/\r\nPage 7 of 9\n\nred-series gtag: TrickBot distributed as a DLL file instead of an EXE, for example: TrickBot gtag\r\nred5 documented on March 17th, 2020.\r\nGtags for TrickBot binaries used by TrickBot modules are unique. They break out as:\r\ntot-series gtag: TrickBot binaries used by mshare module\r\njim-series gtag: TrickBot binaries used by nworm (and the old mworm) module\r\nlib-series gtag: TrickBot binaries used by tab module\r\nFigure 9 and Figure 10 show gtags from traffic filtered in Wireshark from an infection on April 20th, 2020. In\r\nthese images, the Windows client is at 10.4.20.101, and the DC is at 10.4.20.4.\r\nFigure 9. The initial TrickBot infection, where HTTP traffic from an infected client at 10.4.20.101\r\nshows gtag ono38.\r\nFigure 10. TrickBot spreads to the DC where we see gtag jim716 from an infection caused by the\r\nnworm module.\r\nhttps://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/\r\nPage 8 of 9\n\nConclusion\r\nAn infection caused by nworm is run from system memory, leaves no artifacts on an infected DC and disappears\r\nafter a reboot or shutdown. Furthermore, the TrickBot binary used by nworm is encrypted or otherwise encoded\r\nwhen it is retrieved over the Internet. These characteristics are likely an attempt by TrickBot developers to avoid\r\ndetection.\r\nThis is the latest in a series of changes in TrickBot as it evolves within our current threat landscape.\r\nHowever, best security practices like running fully-patched and up-to-date versions of Microsoft Windows will\r\nhinder or prevent TrickBot infections. Palo Alto Networks customers are further protected from TrickBot by our\r\nthreat prevention platform. AutoFocus users can track TrickBot activity by using the TrickBot tag.\r\nIndicators of Compromise\r\nRecent HTTP URLs for TrickBot binaries for propagation to vulnerable DC\r\n(Read: First seen YYYY-MM-DD - module name - URL)\r\n2020-04-20 - nworm - hxxp://107.172.221[.]106/ico/VidT6cErs\r\n2020-04-20 - mshare - hxxp://107.172.221[.]106/images/cursor.png\r\n2020-04-20 - tab - hxxp://107.172.221[.]106/images/imgpaper.png\r\n2020-05-08 - nworm - hxxp://23.95.227[.]159/ico/VidT6cErs\r\n2020-05-08 - mshare - hxxp://23.95.227[.]159/images/cursor.png\r\n2020-05-08 - tab - hxxp://23.95.227[.]159/images/imgpaper.png\r\nSHA256 hash for nwormDll64 artifact (encrypted binary) from an infected Windows 7 client on April 24th 2020:\r\n900aa025bf770102428350e584e8110342a70159ef2f92a9bfd651c5d8e5f76b\r\nSHA256 hash for nwormDll64 artifact (encrypted binary) from an infected Windows 7 client on May 8th 2020:\r\n85d88129eab948d44bb9999774869449ab671b4d1df3c593731102592ce93a70\r\nSource: https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/\r\nhttps://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/\r\nPage 9 of 9\n\n https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/     \nFigure 1. A visual representation of TrickBot and its modules.   \nOn an infected Windows 10 host, TrickBot modules are only found in system memory. But on an infected\nWindows 7 host, we also see artifacts related to the modules stored on the disk. These artifacts are encrypted\nbinaries. During a TrickBot infection, these encrypted binaries are decrypted and run from system memory as\nTrickBot modules. Figure 2 shows an example of artifacts for TrickBot modules from an infection on a Windows\n7 client in January 2020.     \nFigure 2. Example of artifacts for TrickBot modules on an infected Windows 7 client. \n   Page 2 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/"
	],
	"report_names": [
		"goodbye-mworm-hello-nworm-trickbot-updates-propagation-module"
	],
	"threat_actors": [],
	"ts_created_at": 1775434772,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d19f7c753f2e29c36fc6c9364dfb8d75fcc9c165.pdf",
		"text": "https://archive.orkl.eu/d19f7c753f2e29c36fc6c9364dfb8d75fcc9c165.txt",
		"img": "https://archive.orkl.eu/d19f7c753f2e29c36fc6c9364dfb8d75fcc9c165.jpg"
	}
}