TrickBot (TrickLoader, Trickster, TheTrick, TrickLoader, Totbrick, TSPY_TRICKLOAD, TrickBot) is a semi-modular, pervasive, banking trojan which has been observed since mid-2016. The malware appears to owe its heritage to the Dyre (aka Dyreza) malware. The malware’s primary function is the capturing of victims’ consumer financial credentials; however, it has also expanded its capabilities to include capturing of credentials for wealth management firms, and even data that allows it to carry out so-called ‘SIM-swapping’ attacks.
It is also of note that TrickBot has been observed dropping additional payloads, especially ransomware, including Ryuk and GlobeImposter.
On 04 June 2021 a Latvian national was charged by the US Department of Justice for his role in the TrickBot malware operation.
TrickBot targeting it often done very broadly, aligning to potential victims in regions with financial institutions which TrickBot supports.
The malware is almost exclusively delivered through various phishing campaigns. The typical delivery mechanism is using malicious documents (‘maldocs’) which either download the malware directly, or download another malware family which serves as a downloader (historically this malware has utilized the RIG Exploit Kit (RIGEK), and the Necurs botnet, but more recently it has relied heavily on Emotet for delivery). Note however that TrickBot has also been seen being delivered through malicious scripts which are zipped and attached to the email.
Upon initial execution, TrickBot determines if it is running in the %APPDATA% (Windows Vista and above) or %Application Data% (Windows XP) folders. If it determines it is beging run from another folder, it copies itself into one of those folders based on the operationg system.
The malware then performs several checks to validate if it is located in an analysis environment, including registry checks to determine if the version of windows is an evaluation version; the malware also checks against the username and hostname; and also checks to determine if it has been executed in a virtual environment.
TrickBot has been observed using scheduled jobs as a means of persistence.
Modules for the malware has been observed being stored in subdirectories directly within %APPDATA% or under the same subdirectory that TrickBot installs itself into.
TrickBot analysis has revealed several modules which are available:
- System Information Collection (aka ‘Systeminfo’)
- Network Information Collection (aka ‘NetworkDll’)
- Credential Harvesting – Leverages MimiKats to dump LSASS.exe. Credentials gathered from this module are then passed to the Lateral Movement modules.
- Remote Administration through VNC
- Lateral Movement (aka ‘WormDll’ and ‘ShareDll’) – Leverages EternalBlue for lateral movement.
- Lateral Movement (aka ‘TabDll’) – Leverages EternalRomance for lateral movement.
- Email Address Collection (aka ‘Mailsearcher’) – this module searches through specific file types in order to gather email addresses which can be used for further exploitation.
- Browser Data Collection (aka ‘Pwgrab’) – Gathers credentials, autofill data, browser history, as well as additional data from various browsers.
- Browser Data Collection (aka ‘ModuleDll’ and ‘ShareDll’) – Collect cookies and browser configuration.
- LoaderDll/InjectDll – Web Injections (e.g. extra fields or pop over windows)
- Server-side Web Injections (aka Dinj)
- Redirection Module (aka Sinj)
- CyrptoMiner – TrickBot has been observed deploying XMRIG in order to mine the Monero cryptocurrency.
- Exfiltration (aka Dpost) – module which collects consumer financial information and POSTs it to a hard coded IP address.