TrickBot is a Trojan spyware program that has mainly been used for targeting banking sites in Australia. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre. TrickBot is developed in the C++ programming language. [1] [2] [3]

ID: S0266
Aliases: TrickBot, Totbrick, TSPY_TRICKLOAD
Contributors: FS-ISAC

Platforms: Windows

Version: 1.0

Alias Descriptions

TrickBot[1] [4]
Totbrick[4] [5]

Techniques Used

EnterpriseT1087Account DiscoveryTrickBot collects the users of the system.[1]
EnterpriseT1043Commonly Used PortTrickBot uses port 443 for C2 communications.[1][4]
EnterpriseT1024Custom Cryptographic ProtocolTrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[2]
EnterpriseT1005Data from Local SystemTrickBot collects local files and information from the victim’s local machine.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationTrickBot decodes the configuration data and modules.[2]
EnterpriseT1106Execution through APITrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[1]
EnterpriseT1083File and Directory DiscoveryTrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip[1]
EnterpriseT1185Man in the BrowserTrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[2][3][5]
EnterpriseT1027Obfuscated Files or InformationTrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[1]
EnterpriseT1055Process InjectionTrickBot injects into the svchost.exe process.[1][4][5]
EnterpriseT1105Remote File CopyTrickBot downloads several additional files and saves them to the victim's machine.[4]
EnterpriseT1053Scheduled TaskTrickBot creates a scheduled task on the system that provides persistence.[1][4][5]
EnterpriseT1045Software PackingTrickBot leverages a custom packer to obfuscate its functionality.[1]
EnterpriseT1071Standard Application Layer ProtocolTrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[1]
EnterpriseT1082System Information DiscoveryTrickBot gathers the OS version, CPU type, amount of RAM available from the victim’s machine.[1][2]
EnterpriseT1016System Network Configuration DiscoveryTrickBot obtains the IP address from the victim’s machine.[1]
EnterpriseT1007System Service DiscoveryTrickBot collects a list of install programs and services on the system’s machine.[1]
EnterpriseT1065Uncommonly Used PortTrickBot uses ports 447 and 8082 for C2 communications.[1][2][4]