TrickBot is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre. TrickBot is developed in the C++ programming language. [1] [2] [3]

ID: S0266
Associated Software: Totbrick, TSPY_TRICKLOAD
Platforms: Windows
Contributors: Omkar Gudhate; FS-ISAC
Version: 1.2
Created: 17 October 2018
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description
Totbrick [6] [5]

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

TrickBot collects email addresses from Outlook.[4]

.001 Account Discovery: Local Account

TrickBot collects the users of the system.[1][4]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

TrickBot establishes persistence in the Startup folder.[4]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.[7]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge.[4]

Enterprise T1005 Data from Local System

TrickBot collects local files and information from the victim’s local machine.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

TrickBot decodes the configuration data and modules.[2]

Enterprise T1482 Domain Trust Discovery

TrickBot can gather information about domain trusts by utilizing Nltest.[8]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[2]

Enterprise T1083 File and Directory Discovery

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.[1][4]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

TrickBot can disable Windows Defender.[4]

Enterprise T1105 Ingress Tool Transfer

TrickBot downloads several additional files and saves them to the victim's machine.[6]

Enterprise T1056 .004 Input Capture: Credential API Hooking

TrickBot has the ability to capture RDP credentials by capturing the CredEnumerateA API[7]

Enterprise T1185 Man in the Browser

TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[2][3][5][4]

Enterprise T1112 Modify Registry

TrickBot can modify registry entries.[4]

Enterprise T1106 Native API

TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[1]

Enterprise T1571 Non-Standard Port

Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.[1][2][6]

Enterprise T1027 Obfuscated Files or Information

TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[1]

.002 Software Packing

TrickBot leverages a custom packer to obfuscate its functionality.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware[7]

Enterprise T1055 .012 Process Injection: Process Hollowing

TrickBot injects into the svchost.exe process.[1][6][5]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

TrickBot creates a scheduled task on the system that provides persistence.[1][6][5]

Enterprise T1082 System Information Discovery

TrickBot gathers the OS version, CPU type, amount of RAM available from the victim’s machine.[1][2]

Enterprise T1016 System Network Configuration Discovery

TrickBot obtains the IP address and other relevant network information from the victim’s machine.[1][4]

Enterprise T1007 System Service Discovery

TrickBot collects a list of install programs and services on the system’s machine.[1]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, and WinSCP.[4] Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[7]

.002 Unsecured Credentials: Credentials in Registry

TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key [7]

Enterprise T1204 .002 User Execution: Malicious File

TrickBot has attempted to get users to launch a malicious Excel attachment to deliver its payload. [7]

Groups That Use This Software

ID Name References
G0092 TA505


G0102 Wizard Spider