Trickbot

  trickbot trojan stealer

TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Type
Trojan
Origin
Unknown
First seen
1 September, 2016
Last seen
25 January, 2023
Also known as
TrickLoader
Global rank
21
Week rank
37
Month rank
38
IOCs
3435
Last Seen at
24 November, 2022
Malicious activity
sample01_extract.bin
trickbot
24 November, 2022
Malicious activity
sample01.exe
trickbot
23 November, 2022
Malicious activity
https://download.wondershare.com/inst/pdfelement-pro_setup_full5239.exe
loader
trickbot
22 November, 2022
Malicious activity
2019-09-25-initial-Trickbot-malware-binary.exe
trickbot
19 November, 2022
Malicious activity
2019-09-25-initial-Trickbot-malware-binary.exe
trickbot
19 November, 2022
Malicious activity
sample01.exe
trickbot
14 November, 2022
Malicious activity
415e04eb340f1b092288cbcc71295a2c95e864fc1bbfcd55d6e3f5aa67099b1a.exe
trickbot
1 November, 2022
Malicious activity
https://download.wondershare.com/inst/pdfelement-pro_setup_full5239.exe
trickbot
9 October, 2022
Malicious activity
pdfelement-pro_setup_full7281.exe
trickbot
29 September, 2022
Malicious activity
trickbot.exe
trickbot
TRACK THEM ALL AT
Public Submissions

What is TrickBot malware?

TrickBot, AKA TrickLoader, is a banking trojan – a malware designed to steal banking credentials. It is aimed at corporate and private victims and utilizes techniques such as redirection attacks. It manipulates what the victim sees in the browser and redirects to a bank cabinet webpage forged by the hackers.

Reportedly, TrickBot tries to follow ransomware and has already stolen millions of dollars from banks in the United States of America, England, Australia, New Zealand, Canada, and Germany.

General description of TrickBot malware

The first versions of this trojan used to target mostly corporate bank accounts, the same as ransomware, aiming at a specific regional banking platform used by American banks.

The malware is thought to be created by the same team of criminals known for developing another dangerous trojan – Dyre, which has been active until 2015 and reportedly successfully stolen millions of dollars for the Ryanair airline. Dyre rapidly stopped operating in 2015 after Russian authorities seized a group of hackers. However, this connection has never been proven definitively.

It’s speculated that some hackers from the group managed to avoid Russian authorities and came together to create Dyre's successor – TrickBot. This version is supported by the fact that TrickBot’s source code appears to be a rewrite of Dyre, albeit upgraded and refined utilizing C++ instead of Dyre, which mostly utilized C.

Through its lifespan, TrickBot malware developers have upgraded the functionality of the virus multiple times, adding new features and improving the banking trojan, and changing target banks, making their attacks highly unpredictable. Among other updates, TrickBot received support for the EternalBlue exploit, thus allowing it to spread over corporate networks. By August 2016, the malware gained email and browser history theft functionality. In September 2016, the virus learned to steal cryptocurrency by interjecting the normal payment process and stealing the coins when the user fills in personal and payment information on a payment gateway, grabbing the valuable tokens and redirecting them to a wallet that belongs to the hackers.

Trickbot malware analysis

The video was created by ANY.RUN malware hunting service allows us to see the incident as it unfolds.

process graph of trickbot analysis Figure 1: TrickBot’s lifecycle diagram created in ANY.RUN

ANY.RUN is an interactive malware sandbox that allows to watch the simulation in a safe environment and control it with direct human input when necessary. In addition to video simulation, the service provides various useful tools, such as comprehensive text reports. You can research other malicious objects there like IcedID or Emotet.

text report of trickbot banking trojan analysis Figure 2: A text report generated by ANY.RUN

The artifacts can appear in AppData\Local\Temp and AppData\Roaming directories on a contaminated machine. In addition, the malware is sometimes downloaded to the user's PC using a batch file. After achieving persistence, the malware can reportedly be found in a winapp folder located in the AppData\Roaming directory.

The virus utilizes a sophisticated method for infections which allows it to stay undetected by antivirus software. Instead of keeping configuration files locally on the user's machine, TrickBot is able to receive this data from C2 in real-time. Particularly, when a victim heads to one of the target web pages, TrickBot intersects the HTTP response of the website while sending the following information to C2:

  • A complete URL of the target bank website that the user navigates to
  • A whole HTTP query
  • HTML code of the webpage that the victim is trying to view

The C2 server then sends a new HTML markup that includes the malicious parts to the user, and instead of visiting a bank account, the user ends up on a forged page.

How to avoid infection by TrickBot?

Since the virus is often distributed in Microsoft Office files, it needs macros or the Microsoft Office's editing mode to be activated to enter an active phase. As long as both macros are deactivated, and the editing mode is switched off, the virus will pose no danger to a PC.

Distribution of TrickBot

TrickBot trojan is distributed with malspam and phishing campaigns but unlike ransomware, it is powered by the Necurs botnet, which has become extremely popular among attackers who utilize the malware-as-a-service business model.

Attackers will usually try to threaten and scare the victim to make the victim read the email and download any attached files. Finally, the trojan itself manages to get on a victim's machine through an Excel document that contains a macro programmed to download and start the execution of the banking trojan. However, In some of the more recent campaigns, HTML attachments have been included in the emails. Programmed to download Microsoft Office documents, the use of HTML attachments helps to avoid detection by antivirus software. What’s more, In the very last distribution campaigns, the attackers have started utilizing eFax ploys, tricking victims into clicking on VBS extensions that contain the virus.

TrickBot execution process

The given example is an analysis of the executable file that was performed using the ANY.RUN malware hunting service.

After the file was run, it immediately launched the command prompt with commands to stop and delete Windows Defender and turn off Windows Defender Real-time Protection using PowerShell.

process tree of trickbot execution

The virus then utilized CMSTP.exe to bypass user account control and execute the same commands through an auto-elevated COM interface.

After performing the initial steps, the malware added itself to Task Scheduler, thus ensuring that it will be executed later. After a while, Task Scheduler ran the malicious code, which started the contaminated svchost.exe processes. The svchost.exe process then started the malicious activity, launching itself and stealing credential data.

process tree of trickbot execution

How to detect Trickbot using ANY.RUN?

This malware creates files that allow analysts to say for sure that this is Trickbot. Open the "Files" tab in the lower part of the task's window and take a look at the created files. Filenames vary according to the bitness of the operating system. You can be sure this is Trickbot if you find these files and folder: systeminfo32 or systeminfo64, injectDll32 or injectDll64 and folder injectDll32_config or injectDll64_config.

files created by trickbot Figure 3: Files created by Trickbot

Conclusion

Clever attack techniques utilized by TrickBot creators make this banking trojan extremely dangerous both to corporate and personal victims, similar to ransomware behavior. Once infected, a general person is extremely unlikely to find out about the trojan and identify that the bank account the user is visiting is, in fact, a forged one.

Thankfully, modern simulation services like ANY.RUN allows professionals to study the threat and deploy appropriate security measures.

IOCs

IP addresses
188.93.125.116
45.76.176.10
193.182.144.148
190.13.160.19
190.154.203.218
91.200.102.125
31.184.253.37
37.228.117.146
200.116.199.10
185.142.99.8
181.112.157.42
186.42.186.202
45.138.158.53
51.68.247.62
138.59.233.5
94.250.249.170
190.214.13.2
96.9.73.73
96.9.77.142
163.172.50.82
Hashes
8db560f3f7dc604c7faa38fe5657b602cb6970dac2db2a98be177372bfb21786
6fc676e30cf28110639d8ceb6dd435aade49eda40096768fe2a3f2b466d6a0b1
415e04eb340f1b092288cbcc71295a2c95e864fc1bbfcd55d6e3f5aa67099b1a
5b2263765698e9bdaed76570eaa91655869621dbe2a9f5c428b2e391896a2f01
dd56b482a9ece74d8e4ccf435497bce4d7c2fdb603c3da400e543f32c20ef419
7e8c547fcc86e26b973e4c974da8ee2c4cfe84846e2cdfcd7f265929d27602f9
6a48d9e597bd1e7f35efb6ac2157fa80ffffd40c59037d4929f9dca4bce9a351
af42fbce8dce22d3d6846830142586a1961012e8ed9a4cefb0821a7676445060
696d31629493814286b941bdb40b81ebfa04f6f8e569868f49dafc68afcb4e85
05ddb093214e73a1014ee03924e308267281b9f383ab85ea03c3d98dfeeec38a
41ef02449e05acba6d4d245223d385b933c466440200df660ae2854397015d68
34d0f663295e00b520c7801a21ec8303a850e04bd075dc3a4eb5dca1a6bddfee
c6c1a8444cf250357e50c928f908ce7c3fea394f7604ad033413ee3ba867dba8
36201d4f760ade0fc6de622e4ca9598f126798fa2f06bff9826e89248efb0adc
75475fb40984ddb7c83638cb1f4a79827396ba7b638e501f7aff6293adb8cf51
dfce5005864c2b3832cd0ccd208dba1a1368317efdd3017e05bd57361012fab7
b3b3bb519dd34a933a0b9920fa905ecaa5ce32c34871a29b5823a5b0fd4d9fc7
a69dbac3bcc1be10b49365992419e762e92ec98a7ba6ee4f47ebc70c07ccd222
98234a351c5c951b5b5a7fbe33ad0b002095c7de11d34ee198efa4cfdd8684b7
fa9ad80c0977cdbfe8419d27ca9ad909d34f1737df726f4d175f6b85b0670074
Domains
isns.net
utils.global-e.com
ipv4.wtfismyip.com
frederikkempe.com
majul.com
www.cdn-aws.net
ludea.cz
hal-data.com
thuocnam.tk
krupskaya.com
m-onetrading-jp.com
pixel.ipinfo.io
hatech.io
elx01.knas.systems
eqy.link
get.smart-data-systems.com
keplerapis.com
www.propatria.lt
telltale.kryptoslogic.com
angeleyezstripclub.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy

Privacy Policy I agree