Trickbot

TrickBot, AKA TrickLoader, is a banking Trojan – a malware designed to steal banking credentials. It is aimed at corporate and private victims and utilizes techniques such as redirection attacks. It manipulates what the victim sees in the browser and redirects to a bank cabinet webpage, forged by the hackers.

  • Type
    Trojan
  • Origin
    Unknown
  • First seen
    1 September, 2016
  • Last seen
    22 November, 2019
Also known as
TrickLoader
Global rank
15
Week rank
6
Month rank
8
IOCs
249

What is TrickBot malware?

TrickBot, AKA TrickLoader, is a banking Trojan – a malware designed to steal banking credentials. It is aimed at corporate and private victims and utilizes techniques such as redirection attacks. It manipulates what the victim sees in the browser and redirects to a bank cabinet webpage, forged by the hackers.

Reportedly, TrickBot has already stolen millions of dollars from banks in the United States of America, England, Australia, New Zealand, Canada, and Germany.

General description of TrickBot

The first versions of this Trojan used to target mostly corporate bank accounts, in particular, aiming at a specific regional banking platform used by American banks.

The malware is thought to be created by the same team of criminals known for developing another dangerous trojan – Dyre which has been active until 2015 and reportedly successfully stolen millions of dollars for the Ryanair airline among others. Dyre rapidly stopped operating in 2015 after Russian authorities seized a group of hackers, however, this connection has never been proven definitively.

It’s speculated that some hackers from the group managed to avoid Russian authorities and came together to create Dyre's successor – TrickBot. This version is supported by the fact that TrickBot’s source code appears to be a rewrite of Dyre, albeit upgraded and refined utilizing C++ as opposed to Dyre which mostly utilized C.

Through its lifespan TrickBot developers have upgraded functionality of the virus multiple times, not only adding new features and improving the banking Trojan, but also changing target banks, making their attacks highly unpredictable. Among other updates, TrickBot received support for EternalBlue exploit, thus allowing it to spread over corporate networks. By August 2016 the malware gained email and browser history theft functionality and in September 2016 the virus learned to steal cryptocurrency, by interjecting the normal payment process and stealing the coins when the user fills in personal and payment information on a payment gateway, grabbing the valuable tokens and redirecting them to a wallet that belongs to the hackers.

Trickbot malware analysis

The video created by the ANY.RUN malware hunting service allows us to see the incident as it unfolds.

process graph of trickbot analysis Figure 1: TrickBot’s lifecycle diagram created in ANY.RUN

ANY.RUN is an interactive virtual sandbox that not only allows to watch the simulation in a safe environment, but also control it with direct human input when necessary. In addition to video simulation, the service provides a variety of useful tools, such as comprehensive text reports.

text report of trickbot banking trojan analysis Figure 2: A text report generated by ANY.RUN

The artifacts can appear in AppData\Local\Temp and AppData\Roaming directories on a contaminated machine. In addition, the malware is sometimes downloaded to the user PC using a batch file. After achieving persistence the malware can reportedly be found in a winapp folder which is located in AppData\Roaming directory.

The virus utilizes a sophisticated method for infections which allows it to stay undetected by antivirus software. Instead of keeping configuration files locally on the user's machine, TrickBot is able to receive this data from C2 in real-time. Particularly, when a victim heads to one of the target web pages, TrickBot intersects the HTTP response of the website while sending the following information to C2:

  • A complete URL of the target bank website that the user navigates to
  • A whole HTTP query
  • HTML code of the webpage that the victim is trying to view

The C2 server then sends a new HTML markup that includes the malicious parts to the user and instead of visiting a bank account, the user ends up on a forged page.

How to avoid infection by TrickBot

Since the virus is often distributed in Microsoft Office files, it needs macros or the editing mode in the Microsoft Office to be activated in order to enter an active phase. As long as both macros are deactivated and the editing mode is switched off, the virus will pose no danger to a PC.

Distribution of TrickBot

TrickBot is distributed with malspam and phishing campaigns that are powered by the Necurs botnet, which has become extremely popular among attackers who utilize the malware-as-a-service business model.

Attackers will usually try to threaten and scare the victim in an effort to make the victim read the email and download any attached files. The Trojan itself manages to get on a victim's machine through an Excel document that contains a macro programmed to download and start the execution of the banking Trojan. However, In some of the more recent campaigns, HTML attachments have been included in the emails. Programmed to download Microsoft Office documents, the use of HTML attachments helps to avoid detection by antivirus software. What’s more, In the very last distribution campaigns, the attackers have started utilizing eFax ploys, tricking victims into clicking on VBS extensions that contain the virus.

TrickBot execution process

The given example is an analysis of the executable file that was performed using the ANY.RUN malware hunting service.

After the file was run it immediately launched the command prompt with commands to stop and delete Windows Defender as well as turn off Windows Defender Real-time Protection using PowerShell.

process tree of trickbot execution

The virus then utilized CMSTP.exe to bypass user account control and execute the same commands through an auto-elevated COM interface.

After performing the initial steps, the malware added itself to Task Scheduler, thus ensuring that it will be executed later. After a while Task Scheduler ran the malicious code which in turn started the contaminated svchost.exe processes. The svchost.exe process then started the malicious activity, launching itself and stealing credential data.

process tree of trickbot execution

How to detect Trickbot using ANY.RUN?

This malware creates files which allow to analysts say for sure that this is Trickbot. Open the "Files" tab in the lower part of the task's window and take a look at the created files. Filenames vary according to the bitness of the operating system. You can be sure this is Trickbot if you find these files and folder: systeminfo32 or systeminfo64, injectDll32 or injectDll64 and folder injectDll32_config or injectDll64_config.

files created by trickbot Figure 3: Files created by Trickbot

Conclusion

Clever attack techniques utilized by TrickBot creators make this banking Trojan extremely dangerous both to corporate and personal victims. Once infected, a general person is extremely unlikely to find out about the Trojan and identify that the bank account the user is visiting is, in fact, a forged one.

Thankfully, modern simulation services like ANY.RUN allows professionals to study the threat and deploy appropriate security measures.

IOCs

IP addresses
117.255.221.135
181.112.157.42
185.99.2.242
190.13.160.19
178.183.150.169
190.214.13.2
212.73.150.233
181.113.28.146
181.129.134.18
170.238.117.187
181.140.173.186
194.5.250.109
45.141.100.6
190.154.203.218
195.123.238.191
144.91.79.9
185.222.202.192
170.84.78.224
185.189.122.68
189.28.185.50
Hashes
020753a90fdb4d586c49c67bbba4e2b29a40224470397a578ae1e1f2790ae368
b147c3c319e67fe36c60b2f9354ce53079f9ddc56f04f7e090243847530e80a4
a443624a75e0200c216d8b70728a6d1e89478aaede43328bf7b516db6bf8277d
f8f9f3814d2c8103438dc004dab51ee37c907ba4288fc8241ce5f1a773d2d408
da4bebd6c47718e1e55592d317acda6369a624aa3dbadbf431432221a9d7fce2
822e4e50c6278dc1ee485bc69d74d2ec95902462ef1eb9f4e569a18ea61c7072
943c01f799517ca7925522f10c24b30a51bb13323b1cce62ee31e4c5922fb853
904e27f31792e2a7e702741e086a3dfd54a1ebec90ceadd4ad8b7589d95f332c
34577c869484d6c4ca8de7a097a41041ece3c919e4799f25bb0cfca333dc9740
16931d251d5a0eec6f7d5f9440836ed897092905d9b4fcf92188773cb292a586
34d0f663295e00b520c7801a21ec8303a850e04bd075dc3a4eb5dca1a6bddfee
3405709bf5393c3061d28b5401d31497345810eb7f5bd81a925fc836aa33d9bc
40d746c3331274377533303714c441844c1d834ab82050e75a2e2b15bc937ba7
af72ea0349dc0e1cd9f6c6a3f3bd58fa828ec14d59d60b8713252773c5751d52
82a6a4768940cadeb699607be781885cb7f380adcf1501f020090c55ef93fb83
a10e6f6e9fb26af4a175ea11f5fb735f9329abbf3f85218dbf14fe3932b9f287
620aa2d98d07338fd37065f1b6eff56b54ee70a10f35ecc50696b5aef56e6fbf
98d94888a0db73eb937d5075e07d22985ec06783e25008ff41089bfea0f85f40
293f8d6253ac38e56c87bc2a6a48da0622841a8aa374828d3268eca7c3160ae5
08089df5cbab72ed79c09600280ffd9b54ec14f14caf87f4d67b21f683d6c2e2
Domains
isns.net
majul.com
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
elx01.knas.systems
qxq.ddns.net
mail-ordermanagepage375292.radaheseayeunamahpiraku.com
office.webxpo.us
driverconnectsearch.info
6-express.ch
tregartha-dinnie.co.uk
nhglobalpartners.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More