Trickbot

TrickBot is an advanced banking Trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Type
Trojan
Origin
Unknown
First seen
1 September, 2016
Last seen
30 July, 2021
Also known as
TrickLoader
Global rank
12
Week rank
20
Month rank
11
IOCs
2891

What is TrickBot malware?

TrickBot, AKA TrickLoader, is a banking Trojan – a malware designed to steal banking credentials. It is aimed at corporate and private victims and utilizes techniques such as redirection attacks. It manipulates what the victim sees in the browser and redirects to a bank cabinet webpage forged by the hackers.

Reportedly, TrickBot has already stolen millions of dollars from banks in the United States of America, England, Australia, New Zealand, Canada, and Germany.

General description of TrickBot

The first versions of this Trojan trojan used to target mostly corporate bank accounts, aiming at a specific regional banking platform used by American banks.

The malware is thought to be created by the same team of criminals known for developing another dangerous trojan – Dyre, which has been active until 2015 and reportedly successfully stolen millions of dollars for the Ryanair airline. Dyre rapidly stopped operating in 2015 after Russian authorities seized a group of hackers. However, this connection has never been proven definitively.

It’s speculated that some hackers from the group managed to avoid Russian authorities and came together to create Dyre's successor – TrickBot. This version is supported by the fact that TrickBot’s source code appears to be a rewrite of Dyre, albeit upgraded and refined utilizing C++ instead of Dyre, which mostly utilized C.

Through its lifespan, TrickBot trojan developers have upgraded the functionality of the virus multiple times, adding new features and improving the banking Trojan, and changing target banks, making their attacks highly unpredictable. Among other updates, TrickBot received support for the EternalBlue exploit, thus allowing it to spread over corporate networks. By August 2016, the malware gained email and browser history theft functionality. In September 2016, the virus learned to steal cryptocurrency by interjecting the normal payment process and stealing the coins when the user fills in personal and payment information on a payment gateway, grabbing the valuable tokens and redirecting them to a wallet that belongs to the hackers.

Trickbot malware analysis

The video created by ANY.RUN malware hunting service allows us to see the incident as it unfolds.

process graph of trickbot analysis Figure 1: TrickBot’s lifecycle diagram created in ANY.RUN

ANY.RUN is an interactive malware sandbox that allows to watch the simulation in a safe environment and control it with direct human input when necessary. In addition to video simulation, the service provides various useful tools, such as comprehensive text reports.

text report of trickbot banking trojan analysis Figure 2: A text report generated by ANY.RUN

The artifacts can appear in AppData\Local\Temp and AppData\Roaming directories on a contaminated machine. In addition, the malware is sometimes downloaded to the user's PC using a batch file. After achieving persistence, the malware can reportedly be found in a winapp folder located in AppData\Roaming directory.

The virus utilizes a sophisticated method for infections which allows it to stay undetected by antivirus software. Instead of keeping configuration files locally on the user's machine, TrickBot is able to receive this data from C2 in real-time. Particularly, when a victim heads to one of the target web pages, TrickBot intersects the HTTP response of the website while sending the following information to C2:

  • A complete URL of the target bank website that the user navigates to
  • A whole HTTP query
  • HTML code of the webpage that the victim is trying to view

The C2 server then sends a new HTML markup that includes the malicious parts to the user, and instead of visiting a bank account, the user ends up on a forged page.

How to avoid infection by TrickBot?

Since the virus is often distributed in Microsoft Office files, it needs macros or the Microsoft Office's editing mode to be activated to enter an active phase. As long as both macros are deactivated, and the editing mode is switched off, the virus will pose no danger to a PC.

Distribution of TrickBot

TrickBot trojan is distributed with malspam and phishing campaigns powered by the Necurs botnet, which has become extremely popular among attackers who utilize the malware-as-a-service business model.

Attackers will usually try to threaten and scare the victim to make the victim read the email and download any attached files. Finally, the Trojan itself manages to get on a victim's machine through an Excel document that contains a macro programmed to download and start the execution of the banking Trojan. However, In some of the more recent campaigns, HTML attachments have been included in the emails. Programmed to download Microsoft Office documents, the use of HTML attachments helps to avoid detection by antivirus software. What’s more, In the very last distribution campaigns, the attackers have started utilizing eFax ploys, tricking victims into clicking on VBS extensions that contain the virus.

TrickBot execution process

The given example is an analysis of the executable file that was performed using the ANY.RUN malware hunting service.

After the file was run, it immediately launched the command prompt with commands to stop and delete Windows Defender and turn off Windows Defender Real-time Protection using PowerShell.

process tree of trickbot execution

The virus then utilized CMSTP.exe to bypass user account control and execute the same commands through an auto-elevated COM interface.

After performing the initial steps, the malware added itself to Task Scheduler, thus ensuring that it will be executed later. After a while, Task Scheduler ran the malicious code, which started the contaminated svchost.exe processes. The svchost.exe process then started the malicious activity, launching itself and stealing credential data.

process tree of trickbot execution

How to detect Trickbot using ANY.RUN?

This malware creates files that allow analysts to say for sure that this is Trickbot. Open the "Files" tab in the lower part of the task's window and take a look at the created files. Filenames vary according to the bitness of the operating system. You can be sure this is Trickbot if you find these files and folder: systeminfo32 or systeminfo64, injectDll32 or injectDll64 and folder injectDll32_config or injectDll64_config.

files created by trickbot Figure 3: Files created by Trickbot

Conclusion

Clever attack techniques utilized by TrickBot creators make this banking Trojan extremely dangerous both to corporate and personal victims. Once infected, a general person is extremely unlikely to find out about the Trojan and identify that the bank account the user is visiting is, in fact, a forged one.

Thankfully, modern simulation services like ANY.RUN allows professionals to study the threat and deploy appropriate security measures.

IOCs

IP addresses
45.230.176.157
63.147.234.198
5.181.83.64
82.130.201.18
94.140.114.239
194.15.113.73
194.135.33.220
45.86.65.164
89.41.182.30
171.100.142.238
104.161.32.116
103.94.122.254
204.14.154.126
181.115.168.69
181.113.20.186
200.122.209.78
36.91.45.10
66.181.167.72
186.42.186.202
209.45.30.2
Hashes
38a01d1adc7e746287feeb38522ee9f8899dd487cc5393203148589d1a820e26
071a7f1ee2849cde74a43025a20bfca055bffc9c5b4f0424c18b53d18e0f3519
bcd3f4e9ba49575a0a5b6467aff2ef2e0d2010c2c29b0502ec971b5a91e12e14
0d4e0dc01070c288ab6e8978df931b19c0034af663cac0926a8489e15dceabab
544bc5e3afb7df7d627a686ec46d74bb6fd20bfb2d4ef31d02806affd5319c19
77ecd06f385d2f1a2fb35118377f48e40dc1dc4483791e8c9cc5e5f1d775a128
0a5d3d5a05a7e7e68da7e6a79482b5c33361bf4e1bd2fc86876aff503ca30bbc
08b86e56cd82ff11a4cb1e85e5b7aad14533c158e32d2b6494cc2629230ec6ae
c664ccad43243a25de22e85485560fa084bf40e785d86b8391ce4107d47cd99f
1a3bbf6f2abfa4dc657a51eedf5fa2d6cef29c9461520990deb36b97614eb2cf
355ab7eaae4b179de05f267182281e7f9a731560cd2ea8363f0521e9fc8d774c
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
81b735d21314b1fd5cff0d02943e6f31779cc4bd3421a8035b91490e6ea5d363
21145b7f20221b447d2b58ca5aaa17f6eedba1f8aa2ed91ca5ffd696cc560868
8eea1e8e6379023bfb7c59f600e348f159c14a9437f0f42ba421ae67edd56b48
e4b1fdf4b649b45633658fd560b591d998718694545905ff40f45044efe69b9b
5d01c66b327adf179fbf226362017c93e5bf8e8e01896b23e91c7377c61b9571
6fc676e30cf28110639d8ceb6dd435aade49eda40096768fe2a3f2b466d6a0b1
f2e00997fb0f7adbfc36c70e053a6a72d6337888d4c62d6659f73e17213f3ce0
dc2bfbc218ee3422c674330cb6e0a5d793d457bb17714ad7022abbf859667026
Domains
tee4names.com
zullari.com
majul.com
ebox.nu
xn--sedonapokcompany-jqb.com
prankwerpk.com
secureazkoaer.com
riplace.fyi
petersage.com
local-norply.com
dlcordapp.com
www.nepaltelemedicine.com
berduhi.com
hub.npo-data.nl
dencode.com
www.finishlinedetailing.com.mx
jenzaa14.pushalert.co
handwrite.io
www.olgasew.com
formlets.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More