BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
21
Global rank
74 infographic chevron month
Month rank
63 infographic chevron week
Week rank
2932
IOCs

TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Trojan
Type
Unknown
Origin
1 September, 2016
First seen
12 July, 2024
Last seen
Also known as
TrickLoader

How to analyze Trickbot with ANY.RUN

Type
Unknown
Origin
1 September, 2016
First seen
12 July, 2024
Last seen

IOCs

IP addresses
62.108.35.215
62.108.35.204
116.206.62.138
80.210.26.17
45.115.174.60
45.115.174.234
96.9.69.207
196.44.109.73
103.111.83.86
45.116.68.109
114.7.243.26
175.184.232.234
96.9.74.169
27.109.116.144
103.11.218.199
190.183.60.164
186.96.153.223
64.64.150.203
110.38.58.198
36.95.73.109
Hashes
294279f9b222dfb98f10d814717ac2f3bf9f683290723f272c4cff984e79a7a3
dd56b482a9ece74d8e4ccf435497bce4d7c2fdb603c3da400e543f32c20ef419
4ab95ccd1d19845b168ea3d27fe77ac0c8043494fa8669b1b76d8cea06092aac
7e29d464e336d904d8aee54edf8b499c4095c3659a8b202218903f071239d983
7985c469c8c0d0db2d09e1a378e3c9c85e19f12bb7a3daf194602fbde9fc6ec0
571e071e1cf7151cabda294c7a41c72b541b7e17231a18ce815eed8e1b4dbaab
6c80adee2b1721ee34149059bc3e400aa5d38ed2938b4658b9e8d15295c009b9
cbf1bb0acfa0adf0cc63952e220e52c5215c74f84ec49c3fa00b476ba04dc59e
8555403fc0f8d6ea93f0b37ff99064d93bbda9de0aacca24ca55afb4b3e71d75
8b3b12ca85270a8b6efdc300956053bb6c6628edeb9d244407ecebb86d43d7dc
882bf775f6b0c10041f33d7c6b899e115b53c3ee36abc28771bb99563281b7ad
d189aa2cdf77880855c9bd8886864d5a39992480005683272f5cd1329322adce
8082d688be1c9916b895ed641892d68403f0dbda86fd92d7ca4db0200a129677
4ccb38086e6649dfccd49d8b82a5ef9cd42137d7e009112642397d111ecf7710
8f129e5bc46ab520bc4e9eff2b79c9948a4c2dc48a84eacbb9d506c939eebce5
668e396d806dbe9d83a1a664ac45d97c15ff994ee116691db9167de4b54e3d1a
5e02a568288390032621c6157be372199749fe33e65a0a77c4b45b2a1dbceb08
20b8d590665e6aa2905d8f71603548ecdceb39b2a7209788cffe02a2782cd1c4
64853cc4e5c2279577d02987f15d5bac378faee74f8b0bb7e61e1163e86833a1
917788f1d9fd2664f18414faec3244a17c7d7ec29296b14b22cf19be90c95df4
Domains
sported.xyz
fetitech.live
call2.xyz
netsecuressl.com
safenetssl.com
ballpro.xyz
nirvanaeyehospital.com
microsotf.club
archive.saturn.mn
info.businesssec.me
altxcode.com
wex-notdead.ru
fate3.xyz
sslnetsecurity.com
bomovie.net
mnjcszrh.monster
norulless.com
sklep.omax.pl
load3rd.casa
util98.com
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 149
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 161
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1630
comments 0

What is TrickBot malware?

TrickBot, AKA TrickLoader, is a banking trojan – a malware designed to steal banking credentials. It is aimed at corporate and private victims and utilizes techniques such as redirection attacks. It manipulates what the victim sees in the browser and redirects to a bank cabinet webpage forged by the hackers.

Reportedly, TrickBot tries to follow ransomware and has already stolen millions of dollars from banks in the United States of America, England, Australia, New Zealand, Canada, and Germany.

General description of TrickBot malware

The first versions of this trojan used to target mostly corporate bank accounts, the same as ransomware, aiming at a specific regional banking platform used by American banks.

The malicious software is thought to be created by the same team of criminals known for developing another dangerous trojan – Dyre, which has been active until 2015 and reportedly successfully stolen millions of dollars for the Ryanair airline. Dyre rapidly stopped operating in 2015 after Russian authorities seized a group of hackers. However, this connection has never been proven definitively.

It’s speculated that some hackers from the group managed to avoid Russian authorities and came together to create Dyre's successor – TrickBot. This version is supported by the fact that TrickBot’s source code appears to be a rewrite of Dyre, albeit upgraded and refined utilizing C++ instead of Dyre, which mostly utilized C.

Through its lifespan, TrickBot malware developers have upgraded the functionality of the virus multiple times, creating new versions, adding new features and improving the banking trojan, and changing target banks, making their attacks highly unpredictable. Among other updates, TrickBot received support for the EternalBlue exploit, thus allowing it to spread over corporate networks. By August 2016, the malware gained email and browser history theft functionality. In September 2016, the virus learned to steal cryptocurrency by interjecting the normal payment process and stealing the coins when the user fills in personal and payment information on a payment gateway, grabbing the valuable tokens and redirecting them to a wallet that belongs to the hackers.

Trickbot malware analysis

The video was created by ANY.RUN malware hunting service allows us to see the incident as it unfolds.

process graph of trickbot analysis Figure 1: TrickBot’s lifecycle diagram created in ANY.RUN

ANY.RUN is an interactive malware sandbox that allows to watch the simulation in a safe environment and control it with direct human input when necessary. In addition to video simulation, the service provides various useful tools, such as comprehensive text reports. You can research other malicious objects there like IcedID or Emotet.

text report of trickbot banking trojan analysis Figure 2: A text report generated by ANY.RUN

The artifacts can appear in AppData\Local\Temp and AppData\Roaming directories on a contaminated machine. In addition, the malware is sometimes downloaded to the user's PC using a batch file. After achieving persistence, the malware can reportedly be found in a winapp folder located in the AppData\Roaming directory.

The virus utilizes a sophisticated method for infections which allows it to stay undetected by antivirus software. Instead of keeping configuration files locally on the user's machine, TrickBot is able to receive this data from C2 in real-time, which may complicate the removal process. Particularly, when a victim heads to one of the target web pages, TrickBot intersects the HTTP response of the website while sending the following information to C2:

  • A complete URL of the target bank website that the user navigates to
  • A whole HTTP query
  • HTML code of the webpage that the victim is trying to view

The C2 server then sends a new HTML markup that includes the malicious parts to the user, and instead of visiting a bank account, the user ends up on a forged page.

How to avoid infection by TrickBot?

Since the virus is often distributed in Microsoft Office files, it needs macros or the Microsoft Office's editing mode to be activated to enter an active phase. As long as both macros are deactivated, and the editing mode is switched off, the virus will pose no danger to a PC.

Distribution of TrickBot

TrickBot trojan is distributed with malspam and phishing campaigns but unlike ransomware, it is powered by the Necurs botnet, which has become extremely popular among attackers who utilize the malware-as-a-service business model.

Attackers will usually try to threaten and scare the victim to make the victim read the email and download any attached files. Finally, the trojan itself manages to get on a victim's machine through an Excel document that contains a macro programmed to download and start the execution of the banking trojan. However, in some of the more recent campaigns, HTML attachments have been included in the emails. Programmed to download Microsoft Office documents, the use of HTML attachments helps to avoid detection by antivirus software but their functionality becomes apparent after subjecting them to a thorough analysis in a sandbox. What’s more, In the very last distribution campaigns, the attackers have started utilizing eFax ploys, tricking victims into clicking on VBS extensions that contain the virus.

TrickBot execution process

The given malware sample analysis of the executable file was performed using the ANY.RUN malware hunting service.

After the file was run, it immediately launched the command prompt with commands to stop and delete Windows Defender and turn off Windows Defender Real-time Protection using PowerShell.

process tree of trickbot execution

The analysis shows that the malware then utilized CMSTP.exe to bypass user account control and execute the same commands through an auto-elevated COM interface.

After performing the initial steps, the malware added itself to Task Scheduler, thus ensuring that it will be executed later. After a while, Task Scheduler ran the malicious code, which started the contaminated svchost.exe processes. The svchost.exe process then started the malicious activity, launching itself and stealing credential data. This information on the execution flow of TrickBot is crucial for a successful removal of the malware from compromised systems.

process tree of trickbot execution

How to detect Trickbot using ANY.RUN?

This malware creates files that allow analysts to say for sure that this is Trickbot. Open the "Files" tab in the lower part of the task's window and take a look at the created files. Filenames vary according to the bitness of the operating system. You can be sure this is Trickbot if you find these files and folder: systeminfo32 or systeminfo64, injectDll32 or injectDll64 and folder injectDll32_config or injectDll64_config. This can help you start the removal process.

files created by trickbot Figure 3: Files created by Trickbot

Conclusion

Clever attack techniques utilized by TrickBot creators make this banking trojan extremely dangerous both to corporate and personal victims, similar to ransomware behavior. Once infected, a general person is extremely unlikely to find out about the trojan and identify that the bank account the user is visiting is, in fact, a forged one.

Thankfully, modern malware analysis services like ANY.RUN allows professionals to study the threat and deploy appropriate security measures.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy