The TrickBot malware

TrickBot (or “TrickLoader”) is a banking Trojan that targets both businesses and consumers for their data, such as banking information, account credentials, personally identifiable information (PII), and even bitcoins.

As a highly modular malware, it can adapt to any environment or network it finds itself in.


What is TrickBot malware?

The many tricks this Trojan has done since its discovery in 2016 are attributed to the creativity and agility of its developers.

On top of stealing, TrickBot has been given capabilities to move laterally and gain a foothold within an affected network using exploits, propagate copies of itself via Server Message Block (SMB) shares, drop other malware like Ryuk ransomware, and scout for documents and media files on infected host machines.


The history of TrickBot

TrickBot started off as a banking information stealer, but nothing about is simple—even right from the beginning.

TrickBot has the reputation of being the successor of Dyreza, another credential stealer that first appeared in the wild in 2014.

It shared similarities with Dyreza, such as certain variables with like values and the way its creators set up the command-and-control (C&C) servers TrickBot communicates with.

This has led many researchers to believe that the person or group who created Dyreza also created TrickBot.

In 2017, developers included a worm module in TrickBot, which could means it was inspired by successful ransomware campaigns with worm-like capabilities, such as WannaCry and EternalPetya.

The developers also added a module to harvest Outlook credentials, because hundreds of organizations and millions of individuals worldwide usually use this webmail service.

The range of data TrickBot steals also widened in the range: cookies, browsing history, URLs visited, Flash LSO (Local Shared Objects), and many more.

In 2018, it continued to exploit the SMB vulnerability. It was also equipped with the module that disables Windows Defender’s real-time monitoring using a PowerShell command.

While it had also updated its encryption algorithm, the rest of its module function stayed the same.

TrickBot developers also started securing their code from being taken apart by security researchers by incorporating obfuscation elements.

At the end of the year, TrickBot was ranked as the top threat against businesses, overtaking Emotet.

TrickBot developers made some changes to the Trojan in 2019 yet again. Specifically, they made changes to the way the webinject feature works against the US-based mobile carriers, Sprint, Verizon Wireless, and T-Mobile.

Recently, researchers have noted an improvement in this Trojan’s evasion method. Mworm, the module responsible for spreading a copy of itself, was replaced by a new module called Nworm.

This new module alters TrickBot’s HTTP traffic, allowing it to run from memory after infecting a domain controller. This ensures that it doesn’t leave any traces of infection on affected machines.


How does it spread?

Like Emotet, TrickBot arrives on affected systems in the form of either embedded URLs or infected attachments in malicious spam (malspam) campaigns.

Once executed, then spreads laterally within the network by exploiting the SMB vulnerability using either of the three widely known NSA exploits: EternalBlue, EternalRomance, or EternalChampion.

Emotet can also drop TrickBot as part of a secondary infection.


Who does Trickbot target?

At first, anyone seemed to be a potential target. But in recent years, its targets appear to have become more specific—like Outlook or T-Mobile users. At times, TrickBot is found masking as a tax-themed spam.

In 2019, researchers has found a repository of harvested email addresses and/or messenger credentials from millions of users. These belong to users of Gmail, Hotmail, Yahoo, AOL, and MSN.


How can I protect myself?

Learning how TrickBot works is the first step to knowing how organizations and consumers can protect themselves from it. Here are some other things to pay attention to:

  • Look for possible Indicators of Compromise (IoC) by running tools specifically designed to do this. Doing this will identify infected machines within the network. Once machines are identified, isolate infected machines from the network.
  • Download and apply patches that addresses the vulnerabilities that TrickBot exploits.
  • Disable administrative shares.
  • Change all local and domain administrator passwords.
  • Protect yourself from an infection using a cybersecurity program that has multi-layered protection.