TrickBot is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre. TrickBot is developed in the C++ programming language.   
Associated Software Descriptions
|Enterprise||T1087||Account Discovery||TrickBot collects the users of the system.|
|Enterprise||T1043||Commonly Used Port||TrickBot uses port 443 for C2 communications.|
|Enterprise||T1081||Credentials in Files||TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, and WinSCP. Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.|
|Enterprise||T1214||Credentials in Registry||
TrickBot has retrieved PuTTY credentials by querying the
|Enterprise||T1024||Custom Cryptographic Protocol||TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.|
|Enterprise||T1005||Data from Local System||TrickBot collects local files and information from the victim’s local machine.|
|Enterprise||T1140||Deobfuscate/Decode Files or Information||TrickBot decodes the configuration data and modules.|
|Enterprise||T1089||Disabling Security Tools||TrickBot can disable Windows Defender.|
|Enterprise||T1482||Domain Trust Discovery||TrickBot can gather information about domain trusts by utilizing Nltest.|
|Enterprise||T1114||Email Collection||TrickBot collects email addresses from Outlook.|
|Enterprise||T1106||Execution through API||TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.|
|Enterprise||T1083||File and Directory Discovery||TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.|
TrickBot has the ability to capture RDP credentials by capturing the
|Enterprise||T1185||Man in the Browser||TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.|
|Enterprise||T1112||Modify Registry||TrickBot can modify registry entries.|
|Enterprise||T1027||Obfuscated Files or Information||TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.|
|Enterprise||T1055||Process Injection||TrickBot injects into the svchost.exe process.|
|Enterprise||T1060||Registry Run Keys / Startup Folder||TrickBot establishes persistence in the Startup folder.|
|Enterprise||T1105||Remote File Copy||TrickBot downloads several additional files and saves them to the victim's machine.|
|Enterprise||T1053||Scheduled Task||TrickBot creates a scheduled task on the system that provides persistence.|
|Enterprise||T1064||Scripting||TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.|
|Enterprise||T1045||Software Packing||TrickBot leverages a custom packer to obfuscate its functionality.|
|Enterprise||T1193||Spearphishing Attachment||TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware|
|Enterprise||T1071||Standard Application Layer Protocol||TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.|
|Enterprise||T1082||System Information Discovery||TrickBot gathers the OS version, CPU type, amount of RAM available from the victim’s machine.|
|Enterprise||T1016||System Network Configuration Discovery||TrickBot obtains the IP address and other relevant network information from the victim’s machine.|
|Enterprise||T1007||System Service Discovery||TrickBot collects a list of install programs and services on the system’s machine.|
|Enterprise||T1065||Uncommonly Used Port||TrickBot uses ports 447 and 8082 for C2 communications.|
|Enterprise||T1204||User Execution||TrickBot has attempted to get users to launch a malicious Excel attachment to deliver its payload.|
Groups that use this software:TA505
- Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
- Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
- Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.
- Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
- Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
- Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
- Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019.
- Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.