TrickBot

TrickBot is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre. TrickBot is developed in the C++ programming language. [1] [2] [3]

ID: S0266
Associated Software: Totbrick, TSPY_TRICKLOAD
Type: MALWARE
Platforms: Windows
Contributors: Cybereason Nocturnus, @nocturnus; Omkar Gudhate; FS-ISAC
Version: 1.3
Created: 17 October 2018
Last Modified: 17 October 2020

Associated Software Descriptions

Name Description
Totbrick

[4] [5]

TSPY_TRICKLOAD

[4]

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

TrickBot collects email addresses from Outlook.[6]

.001 Account Discovery: Local Account

TrickBot collects the users of the system.[1][6]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[1][7]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.[8]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.[6]

Enterprise T1555 Credentials from Password Stores

TrickBot can steal passwords from the KeePass open source password manager.[7]

.003 Credentials from Web Browsers

TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.[6][7]

Enterprise T1132 .001 Data Encoding: Standard Encoding

TrickBot can Base64-encode C2 commands.[7]

Enterprise T1005 Data from Local System

TrickBot collects local files and information from the victim’s local machine.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

TrickBot decodes the configuration data and modules.[2][7]

Enterprise T1482 Domain Trust Discovery

TrickBot can gather information about domain trusts by utilizing Nltest.[9][7]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[2]

Enterprise T1041 Exfiltration Over C2 Channel

TrickBot can send information about the compromised host to a hardcoded C2 server.[7]

Enterprise T1008 Fallback Channels

TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.[7]

Enterprise T1083 File and Directory Discovery

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.[1][6]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

TrickBot can disable Windows Defender.[6]

Enterprise T1105 Ingress Tool Transfer

TrickBot downloads several additional files and saves them to the victim's machine.[4]

Enterprise T1056 .004 Input Capture: Credential API Hooking

TrickBot has the ability to capture RDP credentials by capturing the CredEnumerateA API[8]

Enterprise T1185 Man in the Browser

TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[2][3][5][6]

Enterprise T1036 Masquerading

The TrickBot downloader has used an icon to appear as a Microsoft Word document.[7]

Enterprise T1112 Modify Registry

TrickBot can modify registry entries.[6]

Enterprise T1106 Native API

TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[1]

Enterprise T1571 Non-Standard Port

Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.[1][2][4]

Enterprise T1027 Obfuscated Files or Information

TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[1]

.002 Software Packing

TrickBot leverages a custom packer to obfuscate its functionality.[1]

Enterprise T1069 Permission Groups Discovery

TrickBot can identify the groups the user on a compromised host belongs to.[7]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware[8]

.002 Phishing: Spearphishing Link

TrickBot has been delivered via malicious links in phishing e-mails.[7]

Enterprise T1055 .012 Process Injection: Process Hollowing

TrickBot injects into the svchost.exe process.[1][4][5][7]

Enterprise T1018 Remote System Discovery

TrickBot can enumerate computers and network devices.[7]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

TrickBot creates a scheduled task on the system that provides persistence.[1][4][5]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

TrickBot has come with a signed downloader component.[7]

Enterprise T1082 System Information Discovery

TrickBot gathers the OS version, machine name, CPU type, amount of RAM available from the victim’s machine.[1][2][7]

Enterprise T1016 System Network Configuration Discovery

TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.[1][6][7]

Enterprise T1033 System Owner/User Discovery

TrickBot can identify the user and groups the user belongs to on a compromised host.[7]

Enterprise T1007 System Service Discovery

TrickBot collects a list of install programs and services on the system’s machine.[1]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.[6][7] Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[8]

.002 Unsecured Credentials: Credentials in Registry

TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key [8]

Enterprise T1204 .002 User Execution: Malicious File

TrickBot has attempted to get users to launch malicious documents to deliver its payload. [8][7]

Groups That Use This Software

ID Name References
G0092 TA505

[10][11]

G0102 Wizard Spider

[12]

References