TrickBot is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre. TrickBot is developed in the C++ programming language. [1] [2] [3]

ID: S0266
Associated Software: Totbrick, TSPY_TRICKLOAD

Contributors: Omkar Gudhate; FS-ISAC

Platforms: Windows

Version: 1.1

Associated Software Descriptions

Totbrick[5] [8]

Techniques Used

EnterpriseT1087Account DiscoveryTrickBot collects the users of the system.[1][4]
EnterpriseT1043Commonly Used PortTrickBot uses port 443 for C2 communications.[1][5]
EnterpriseT1081Credentials in FilesTrickBot can obtain passwords stored in files from several applications and browsers, such as Outlook, Filezilla, WinSCP, Chrome, Firefox, Internet Explorer, and Microsoft Edge. Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[4][6]
EnterpriseT1214Credentials in RegistryTrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key[6]
EnterpriseT1024Custom Cryptographic ProtocolTrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[2]
EnterpriseT1005Data from Local SystemTrickBot collects local files and information from the victim’s local machine.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationTrickBot decodes the configuration data and modules.[2]
EnterpriseT1089Disabling Security ToolsTrickBot can disable Windows Defender.[4]
EnterpriseT1482Domain Trust DiscoveryTrickBot can gather information about domain trusts by utilizing Nltest.[7]
EnterpriseT1114Email CollectionTrickBot collects email addresses from Outlook.[4]
EnterpriseT1106Execution through APITrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[1]
EnterpriseT1083File and Directory DiscoveryTrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.[1][4]
EnterpriseT1179HookingTrickBot has the ability to capture RDP credentials by capturing the CredEnumerateA API [6]
EnterpriseT1185Man in the BrowserTrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[2][3][8][4]
EnterpriseT1112Modify RegistryTrickBot can modify registry entries.[4]
EnterpriseT1027Obfuscated Files or InformationTrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[1]
EnterpriseT1055Process InjectionTrickBot injects into the svchost.exe process.[1][5][8]
EnterpriseT1060Registry Run Keys / Startup FolderTrickBot establishes persistence in the Startup folder.[4]
EnterpriseT1105Remote File CopyTrickBot downloads several additional files and saves them to the victim's machine.[5]
EnterpriseT1053Scheduled TaskTrickBot creates a scheduled task on the system that provides persistence.[1][5][8]
EnterpriseT1064ScriptingTrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.[6]
EnterpriseT1045Software PackingTrickBot leverages a custom packer to obfuscate its functionality.[1]
EnterpriseT1193Spearphishing AttachmentTrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware[6]
EnterpriseT1071Standard Application Layer ProtocolTrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[1]
EnterpriseT1082System Information DiscoveryTrickBot gathers the OS version, CPU type, amount of RAM available from the victim’s machine.[1][2]
EnterpriseT1016System Network Configuration DiscoveryTrickBot obtains the IP address and other relevant network information from the victim’s machine.[1][4]
EnterpriseT1007System Service DiscoveryTrickBot collects a list of install programs and services on the system’s machine.[1]
EnterpriseT1065Uncommonly Used PortTrickBot uses ports 447 and 8082 for C2 communications.[1][2][5]
EnterpriseT1204User ExecutionTrickBot has attempted to get users to launch a malicious Excel attachmentto deliver its payload.[6]