TrickBot

Description

(Trend Micro) Developed in 2016, TrickBot is one of the more recent banking Trojans, with many of its original features inspired by Dyreza (another banking Trojan). Besides targeting a wide array of international banks via its webinjects, Trickbot can also steal from Bitcoin wallets.

Some of its other capabilities include harvesting emails and credentials using the Mimikatz tool. Its authors also show an ability for constant new features and developments.

Trojan.TrickBot comes in modules accompanied by a configuration file. Each module has a specific task like gaining persistence, propagation, stealing credentials, encryption, and so on. The C&Cs are set up on hacked wireless routers.

Names

Name
TrickBot
Trickster
The Trick
TheTrick
Totbrick
TrickLoader
TSPY_TRICKLOAD

Category

Malware

Type

• Banking trojan
• Backdoor
• Info stealer
• Credential stealer
• Worm

Information

• https://blog.malwarebytes.com/detections/trojan-trickbot/
• https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
• https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/
• http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html
• https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/
• http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
• https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module
• https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre
• https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/
• http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html
• https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/
• https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
• https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/
• https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/
• https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/
• http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html
• https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/
• https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader
• https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
• https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/
• https://blog.fraudwatchinternational.com/malware/trickbot-malware-works
• https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/
• https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms
• https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412
• https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot
• https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html
• https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/
• https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html
• https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf
• https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets
• http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot
• https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/
• http://www.malware-traffic-analysis.net/2018/02/01/
• https://www.cert.pl/en/news/single/detricking-trickbot-loader/
• https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features
• https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/
• http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html
• https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core
• https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html
• https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html
• https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
• https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html
• https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer
• https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf
• https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/
• https://blog.talosintelligence.com/2020/03/trickbot-primer.html
• https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth#When:12:00:00Z
• https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
• https://www.bleepingcomputer.com/news/security/fake-black-lives-matter-voting-campaign-spreads-trickbot-malware/
• https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/
• https://www.bleepingcomputer.com/news/security/trickbot-malware-now-checks-screen-resolution-to-evade-analysis/
• https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/
• https://www.cybereason.com/blog/vb2020-anchor-bazar-and-the-trickbot-connection
• https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/
• https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html
• https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/
• https://www.zdnet.com/article/trickbot-botnet-survives-takedown-attempt-but-microsoft-sets-new-legal-precedent/
• https://www.darkreading.com/vulnerabilities---threats/trickbot-phishing-ransomware-and-elections/a/d-id/1339190
• https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/
• https://www.netscout.com/blog/asert/dropping-anchor
• https://www.intezer.com/blog/threat-hunting/trickbot-or-treat-2-0/
• https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware-2/
• https://www.darkreading.com/threat-intelligence/like-the-energizer-bunny-trickbot-goes-on-and-on-/d/d-id/1339432
• https://www.bleepingcomputer.com/news/security/trickbot-turns-100-latest-malware-released-with-new-features/
• https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/
• https://www.bleepingcomputer.com/news/security/trickbot-malware-uses-obfuscated-windows-batch-script-to-evade-detection/
• https://www.cyberscoop.com/trickbot-status-microsoft-cyber-command-takedown/
• https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/
• https://www.advanced-intel.com/post/persist-brick-profit-trickbot-offers-new-trickboot-uefi-focused-functionality
• https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/
• https://www.menlosecurity.com/blog/trickbot-new-year-old-lure
• https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/
• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
• https://www.bleepingcomputer.com/news/security/supermicro-pulse-secure-release-fixes-for-trickboot-attacks/
• https://us-cert.gov/ncas/alerts/aa21-076a
• https://us-cert.gov/sites/default/files/publications/TrickBot_Fact_Sheet_508.pdf
• https://blog.sonicwall.com/en-us/2021/04/emotet-and-trickbot-the-battle-of-the-botnets/
• https://www.riskiq.com/blog/external-threat-management/trickbot/
• http://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor
• https://www.bitdefender.com/blog/labs/trickbot-activity-increases-new-vnc-module-on-the-radar
• https://cofense.com/blog/trickbot-june-debut/
• https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
• https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/
• https://securelist.com/trickbot-module-descriptions/104603/
• https://www.bleepingcomputer.com/news/security/trickbot-phishing-checks-screen-resolution-to-evade-researchers/
• https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/
• https://cofense.com/blog/trickbot-malware-delivered-as-invoices
• https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/
• https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/
• https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/
• https://thehackernews.com/2022/05/malware-analysis-trickbot.html
• https://www.cyjax.com/2022/07/15/who-is-trickbot/
• https://www.malwarebytes.com/blog/threat-intelligence/2022/08/exploits-and-trickbot-disrupt-manufacturing-operations

Mitre Attack

• https://attack.mitre.org/software/S0266/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:TrickBot

Playbook

• https://pan-unit42.github.io/playbook_viewer/?pb=trickbot
• https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/

Other Information

Uuid

1ee83664-1baa-49f4-8056-c9a2d73a9a80

Last Card Change

2022-12-28