Trickbot

  trickbot trojan stealer

TrickBot is an advanced banking Trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Type
Trojan
Origin
Unknown
First seen
1 September, 2016
Last seen
10 July, 2020
Also known as
TrickLoader
Global rank
12
Week rank
17
Month rank
23
IOCs
2482
Last Seen at
10 July, 2020
Malicious activity
MIwRIyM.exe
trojan
trickbot
loader
10 July, 2020
Malicious activity
sppcommpatch.dll
evasion
trojan
trickbot
loader
stealer
7 July, 2020
Malicious activity
mssert.7z
evasion
trickbot
trojan
loader
stealer
7 July, 2020
Malicious activity
mssert.7z
evasion
trickbot
trojan
loader
7 July, 2020
Malicious activity
nomnom.exe
trojan
trickbot
loader
evasion
stealer
6 July, 2020
Malicious activity
sample-1174106-63d9009581854df2bc8f97c4bb139222.zip
trojan
trickbot
loader
evasion
30 June, 2020
Malicious activity
ONOSDEKI.exe
trickbot
30 June, 2020
Malicious activity
startr.ack
trickbot
29 June, 2020
Malicious activity
UOD_1004.xls
macros
macros40
loader
evasion
trojan
trickbot
stealer
28 June, 2020
Malicious activity
CAL4.dll
trickbot
TRACK THEM ALL AT
Public Submissions

What is TrickBot malware?

TrickBot, AKA TrickLoader, is a banking Trojan – a malware designed to steal banking credentials. It is aimed at corporate and private victims and utilizes techniques such as redirection attacks. It manipulates what the victim sees in the browser and redirects to a bank cabinet webpage, forged by the hackers.

Reportedly, TrickBot has already stolen millions of dollars from banks in the United States of America, England, Australia, New Zealand, Canada, and Germany.

General description of TrickBot

The first versions of this Trojan trojan used to target mostly corporate bank accounts, in particular, aiming at a specific regional banking platform used by American banks.

The malware is thought to be created by the same team of criminals known for developing another dangerous trojan – Dyre which has been active until 2015 and reportedly successfully stolen millions of dollars for the Ryanair airline among others. Dyre rapidly stopped operating in 2015 after Russian authorities seized a group of hackers, however, this connection has never been proven definitively.

It’s speculated that some hackers from the group managed to avoid Russian authorities and came together to create Dyre's successor – TrickBot. This version is supported by the fact that TrickBot’s source code appears to be a rewrite of Dyre, albeit upgraded and refined utilizing C++ as opposed to Dyre which mostly utilized C.

Through its lifespan TrickBot trojan developers have upgraded functionality of the virus multiple times, not only adding new features and improving the banking Trojan but also changing target banks, making their attacks highly unpredictable. Among other updates, TrickBot received support for EternalBlue exploit, thus allowing it to spread over corporate networks. By August 2016 the malware gained email and browser history theft functionality and in September 2016 the virus learned to steal cryptocurrency, by interjecting the normal payment process and stealing the coins when the user fills in personal and payment information on a payment gateway, grabbing the valuable tokens and redirecting them to a wallet that belongs to the hackers.

Trickbot malware analysis

The video created by the ANY.RUN malware hunting service allows us to see the incident as it unfolds.

process graph of trickbot analysis Figure 1: TrickBot’s lifecycle diagram created in ANY.RUN

ANY.RUN is an interactive malware sandbox that not only allows to watch the simulation in a safe environment, but also control it with direct human input when necessary. In addition to video simulation, the service provides a variety of useful tools, such as comprehensive text reports.

text report of trickbot banking trojan analysis Figure 2: A text report generated by ANY.RUN

The artifacts can appear in AppData\Local\Temp and AppData\Roaming directories on a contaminated machine. In addition, the malware is sometimes downloaded to the user PC using a batch file. After achieving persistence the malware can reportedly be found in a winapp folder which is located in AppData\Roaming directory.

The virus utilizes a sophisticated method for infections which allows it to stay undetected by antivirus software. Instead of keeping configuration files locally on the user's machine, TrickBot is able to receive this data from C2 in real-time. Particularly, when a victim heads to one of the target web pages, TrickBot intersects the HTTP response of the website while sending the following information to C2:

  • A complete URL of the target bank website that the user navigates to
  • A whole HTTP query
  • HTML code of the webpage that the victim is trying to view

The C2 server then sends a new HTML markup that includes the malicious parts to the user and instead of visiting a bank account, the user ends up on a forged page.

How to avoid infection by TrickBot?

Since the virus is often distributed in Microsoft Office files, it needs macros or the editing mode in the Microsoft Office to be activated in order to enter an active phase. As long as both macros are deactivated and the editing mode is switched off, the virus will pose no danger to a PC.

Distribution of TrickBot

TrickBot trojan is distributed with malspam and phishing campaigns that are powered by the Necurs botnet, which has become extremely popular among attackers who utilize the malware-as-a-service business model.

Attackers will usually try to threaten and scare the victim in an effort to make the victim read the email and download any attached files. The Trojan itself manages to get on a victim's machine through an Excel document that contains a macro programmed to download and start the execution of the banking Trojan. However, In some of the more recent campaigns, HTML attachments have been included in the emails. Programmed to download Microsoft Office documents, the use of HTML attachments helps to avoid detection by antivirus software. What’s more, In the very last distribution campaigns, the attackers have started utilizing eFax ploys, tricking victims into clicking on VBS extensions that contain the virus.

TrickBot execution process

The given example is an analysis of the executable file that was performed using the ANY.RUN malware hunting service.

After the file was run it immediately launched the command prompt with commands to stop and delete Windows Defender as well as turn off Windows Defender Real-time Protection using PowerShell.

process tree of trickbot execution

The virus then utilized CMSTP.exe to bypass user account control and execute the same commands through an auto-elevated COM interface.

After performing the initial steps, the malware added itself to Task Scheduler, thus ensuring that it will be executed later. After a while Task Scheduler ran the malicious code which in turn started the contaminated svchost.exe processes. The svchost.exe process then started the malicious activity, launching itself and stealing credential data.

process tree of trickbot execution

How to detect Trickbot using ANY.RUN?

This malware creates files that allow to analysts say for sure that this is Trickbot. Open the "Files" tab in the lower part of the task's window and take a look at the created files. Filenames vary according to the bitness of the operating system. You can be sure this is Trickbot if you find these files and folder: systeminfo32 or systeminfo64, injectDll32 or injectDll64 and folder injectDll32_config or injectDll64_config.

files created by trickbot Figure 3: Files created by Trickbot

Conclusion

Clever attack techniques utilized by TrickBot creators make this banking Trojan extremely dangerous both to corporate and personal victims. Once infected, a general person is extremely unlikely to find out about the Trojan and identify that the bank account the user is visiting is, in fact, a forged one.

Thankfully, modern simulation services like ANY.RUN allows professionals to study the threat and deploy appropriate security measures.

IOCs

IP addresses
107.22.188.116
181.112.157.42
95.171.16.42
185.14.31.104
185.99.2.66
185.90.61.9
134.119.191.21
5.1.81.68
66.70.218.46
51.89.204.243
170.238.117.187
203.176.135.102
121.100.19.18
110.232.76.39
181.129.134.18
195.123.240.210
185.142.99.149
188.120.255.249
194.5.249.109
66.70.218.37
Hashes
cf817791cca56e5466d5a09d3f6a81fd8133d097fdfdde7549c642c134315f4a
995526d72e443e96d046052b463c3ecef053cdbf8abadcfca423da35e1f83db7
24a8404328e8ec1dee092b61087c37f60311d1c96d9e2127b906805729226311
75682633e0cf3922340da72927e6c2c0900f055368afbbc1438f9112115e1f61
9872af68cb74e1241dedbb2d9839b74af4aa35d96a5d41e62d3af64c928e7309
54c3e01a3dee75c7137c63a25915b7bec1876a8fc65047eff99b97d9ca6cd5c6
21c19eb8b4e9d1a93f2786b722bea69e3d691c918c8f2dd3bfa51b0dd4b91193
d0c2d08876d76e79409654fb077ed49e196c457410f0cc1030c3d97daeeddaae
000c58521784fa11d96462027243a94fe53367fab33ed248bbb4e529ec457661
225d41fc5d44936822f7b137ecf6156ed4a3d08439b1b2f9633ccfbc51fad7d6
ad11e90e470d04ab051248e1e4b0df723ece885d594d54ca938ce13e5df72c76
6ab25c408af8a0acaabcf06f3b5fbdb93327028bad187fd7061c1d75047c4bd6
396223eeec49493a52dd9d8ba5348a332bf064483a358db79d8bb8d22e6eb62c
fa9ad80c0977cdbfe8419d27ca9ad909d34f1737df726f4d175f6b85b0670074
dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7
2463ef83b054cd508c2e7e89d8c2271203557a65cd518719b7f2bf6b279a44dd
feb5962123d53ede1c136d601a21d2ca8e1bddd2e82ac47336df8d9cdc122a02
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
de51bae08fd7318c988ef54511b5c08d8c3d9bbb2fc03d76d97116a79afb9e81
Domains
isns.net
youwantwork.com
majul.com
smtp.aiotecs.com
elx01.knas.systems
heatmap.services
g990421675.co
g594253005.co
measurements-api.wonderpush.com
checkoutspace.com
app.happeo.com
qxq.ddns.net
caplinked.com
wearedevs.com
babel.innertrends.com
krupskaya.com
m-onetrading-jp.com
thuocnam.tk
api.venyoo.ru
api-v4.trbo.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More