TrickBot

TrickBot is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre. TrickBot is developed in the C++ programming language. [1] [2] [3]

ID: S0266
Associated Software: Totbrick, TSPY_TRICKLOAD
Type: MALWARE
Platforms: Windows
Contributors: Omkar Gudhate, FS-ISAC
Version: 1.1

Associated Software Descriptions

Name Description
Totbrick [5] [6]
TSPY_TRICKLOAD [5]

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery TrickBot collects the users of the system. [1] [4]
Enterprise T1043 Commonly Used Port TrickBot uses port 443 for C2 communications. [1] [5]
Enterprise T1503 Credentials from Web Browsers TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge. [4]
Enterprise T1081 Credentials in Files TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, and WinSCP. Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials. [4] [7]
Enterprise T1214 Credentials in Registry TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key [7]
Enterprise T1024 Custom Cryptographic Protocol TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic. [2]
Enterprise T1005 Data from Local System TrickBot collects local files and information from the victim’s local machine. [1]
Enterprise T1140 Deobfuscate/Decode Files or Information TrickBot decodes the configuration data and modules. [2]
Enterprise T1089 Disabling Security Tools TrickBot can disable Windows Defender. [4]
Enterprise T1482 Domain Trust Discovery TrickBot can gather information about domain trusts by utilizing Nltest. [8]
Enterprise T1114 Email Collection TrickBot collects email addresses from Outlook. [4]
Enterprise T1106 Execution through API TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow. [1]
Enterprise T1083 File and Directory Discovery TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information. [1] [4]
Enterprise T1179 Hooking TrickBot has the ability to capture RDP credentials by capturing the CredEnumerateA API [7]
Enterprise T1185 Man in the Browser TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page. [2] [3] [6] [4]
Enterprise T1112 Modify Registry TrickBot can modify registry entries. [4]
Enterprise T1027 Obfuscated Files or Information TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files. [1]
Enterprise T1055 Process Injection TrickBot injects into the svchost.exe process. [1] [5] [6]
Enterprise T1060 Registry Run Keys / Startup Folder TrickBot establishes persistence in the Startup folder. [4]
Enterprise T1105 Remote File Copy TrickBot downloads several additional files and saves them to the victim's machine. [5]
Enterprise T1053 Scheduled Task TrickBot creates a scheduled task on the system that provides persistence. [1] [5] [6]
Enterprise T1064 Scripting TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine. [7]
Enterprise T1045 Software Packing TrickBot leverages a custom packer to obfuscate its functionality. [1]
Enterprise T1193 Spearphishing Attachment TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware [7]
Enterprise T1071 Standard Application Layer Protocol TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files. [1]
Enterprise T1082 System Information Discovery TrickBot gathers the OS version, CPU type, amount of RAM available from the victim’s machine. [1] [2]
Enterprise T1016 System Network Configuration Discovery TrickBot obtains the IP address and other relevant network information from the victim’s machine. [1] [4]
Enterprise T1007 System Service Discovery TrickBot collects a list of install programs and services on the system’s machine. [1]
Enterprise T1065 Uncommonly Used Port TrickBot uses ports 447 and 8082 for C2 communications. [1] [2] [5]
Enterprise T1204 User Execution TrickBot has attempted to get users to launch a malicious Excel attachment to deliver its payload. [7]

Groups That Use This Software

ID Name References
G0092 TA505 [9]

References