1. Home
  2. Software
  3. TrickBot

TrickBot

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]

ID: S0266
Associated Software: Totbrick, TSPY_TRICKLOAD
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security; Cybereason Nocturnus, @nocturnus; Omkar Gudhate; FS-ISAC
Version: 2.2
Created: 17 October 2018
Last Modified: 10 April 2024
Version Permalink

Associated Software Descriptions

Name Description
Totbrick

[5] [6]
TSPY_TRICKLOAD

[5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

TrickBot collects the users of the system.[1][7]
.003 Account Discovery: Email Account

TrickBot collects email addresses from Outlook.[7]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[1][8]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

TrickBot establishes persistence in the Startup folder.[9]
Enterprise T1185 Browser Session Hijacking

TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[2][3][6][7]
Enterprise T1110 .004 Brute Force: Credential Stuffing

TrickBot uses brute-force attack against RDP with rdpscanDll module.[9][10]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers. [11]
.003 Command and Scripting Interpreter: Windows Command Shell

TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.[12]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.[7]
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.[7][8][11]
.005 Credentials from Password Stores: Password Managers

TrickBot can steal passwords from the KeePass open source password manager.[8]
Enterprise T1132 .001 Data Encoding: Standard Encoding

TrickBot can Base64-encode C2 commands.[8]
Enterprise T1005 Data from Local System

TrickBot collects local files and information from the victim’s local machine.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

TrickBot decodes the configuration data and modules.[2][8][13]
Enterprise T1482 Domain Trust Discovery

TrickBot can gather information about domain trusts by utilizing Nltest.[14][8]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[2]Newer versions of TrickBot have been known to use bcrypt to encrypt and digitally sign responses to their C2 server. [15]
Enterprise T1041 Exfiltration Over C2 Channel

TrickBot can send information about the compromised host and upload data to a hardcoded C2 server.[8][11]
Enterprise T1210 Exploitation of Remote Services

TrickBot utilizes EternalBlue and EternalRomance exploits for lateral movement in the modules wormwinDll, wormDll, mwormDll, nwormDll, tabDll.[9]
Enterprise T1008 Fallback Channels

TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.[8]
Enterprise T1083 File and Directory Discovery

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.[1][7]
Enterprise T1495 Firmware Corruption

TrickBot module "Trickboot" can write or erase the UEFI/BIOS firmware of a compromised device.[16]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

TrickBot has used a hidden VNC (hVNC) window to monitor the victim and collect information stealthily.[17]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

TrickBot can disable Windows Defender.[7]
Enterprise T1105 Ingress Tool Transfer

TrickBot downloads several additional files and saves them to the victim's machine.[5][11]
Enterprise T1056 .004 Input Capture: Credential API Hooking

TrickBot has the ability to capture RDP credentials by capturing the CredEnumerateA API[12]

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

TrickBot used COM to setup scheduled task for persistence.[9]
Enterprise T1036 Masquerading

The TrickBot downloader has used an icon to appear as a Microsoft Word document.[8]
Enterprise T1112 Modify Registry

TrickBot can modify registry entries.[7]
Enterprise T1106 Native API

TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[1] TrickBot has also used Nt* API functions to perform Process Injection.[13]
Enterprise T1135 Network Share Discovery

TrickBot module shareDll/mshareDll discovers network shares via the WNetOpenEnumA API.[9][10]
Enterprise T1571 Non-Standard Port

Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.[1][2][5] Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. [11]
Enterprise T1027 Obfuscated Files or Information

TrickBot uses non-descriptive names to hide functionality.[1]
.002 Software Packing

TrickBot leverages a custom packer to obfuscate its functionality.[1]
.013 Encrypted/Encoded File

TrickBot uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[1]
Enterprise T1069 Permission Groups Discovery

TrickBot can identify the groups the user on a compromised host belongs to.[8]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware[12]
.002 Phishing: Spearphishing Link

TrickBot has been delivered via malicious links in phishing e-mails.[8]
Enterprise T1542 .003 Pre-OS Boot: Bootkit

TrickBot can implant malicious code into a compromised device's firmware.[16]
Enterprise T1057 Process Discovery

TrickBot uses module networkDll for process list discovery.[9][10]
Enterprise T1055 Process Injection

TrickBot has used Nt* Native API functions to inject code into legitimate processes such as wermgr.exe.[13]
.012 Process Hollowing

TrickBot injects into the svchost.exe process.[1][5][6][8]
Enterprise T1090 .002 Proxy: External Proxy

TrickBot has been known to reach a command and control server via one of nine proxy IP addresses. [15] [11]
Enterprise T1219 Remote Access Software

TrickBot uses vncDll module to remote control the victim machine.[9][10]
Enterprise T1021 .005 Remote Services: VNC

TrickBot has used a VNC module to monitor the victim and collect information to pivot to valuable systems on the network [18][11]
Enterprise T1018 Remote System Discovery

TrickBot can enumerate computers and network devices.[8]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

TrickBot creates a scheduled task on the system that provides persistence.[1][5][6]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

TrickBot has come with a signed downloader component.[8]
Enterprise T1082 System Information Discovery

TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.[1][2][8][16]
Enterprise T1016 System Network Configuration Discovery

TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.[1][7][8]
Enterprise T1033 System Owner/User Discovery

TrickBot can identify the user and groups the user belongs to on a compromised host.[8]
Enterprise T1007 System Service Discovery

TrickBot collects a list of install programs and services on the system’s machine.[1]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.[7][8] Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[12]
.002 Unsecured Credentials: Credentials in Registry

TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key [12]
Enterprise T1204 .002 User Execution: Malicious File

TrickBot has attempted to get users to launch malicious documents to deliver its payload. [12][8]
Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

TrickBot has used printf and file I/O loops to delay process execution as part of API hammering.[13]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[19][20][21][4][22][23]
G0092 TA505

[24][25]

References

  1. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  2. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  3. Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.
  4. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  5. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  6. Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
  7. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  8. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  9. Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021.
  10. Tudorica, R., Maximciuc, A., Vatamanu, C. (2020, March 18). New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong. Retrieved March 15, 2021.
  11. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  12. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
  13. Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.
  1. Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019.
  2. Liviu Arsene, Radu Tudorica. (2020, November 23). TrickBot is Dead. Long Live TrickBot!. Retrieved September 28, 2021.
  3. Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021.
  4. Cybereason Nocturnus. (n.d.). Triple Threat: Emotet Deploys TrickBot to Steal Data & Spread Ryuk. Retrieved November 28, 2023.
  5. Ionut Illascu. (2021, July 14). Trickbot updates its VNC module for high-value targets. Retrieved September 10, 2021.
  6. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  7. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  8. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  9. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  10. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  11. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  12. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.