What is TrickBot malware?
TrickBot, AKA TrickLoader, is a banking Trojan – a malware designed to steal banking credentials. It is aimed at corporate and private victims and utilizes techniques such as redirection attacks. It manipulates what the victim sees in the browser and redirects to a bank cabinet webpage, forged by the hackers.
Reportedly, TrickBot has already stolen millions of dollars from banks in the United States of America, England, Australia, New Zealand, Canada, and Germany.
General description of TrickBot
The first versions of this Trojan used to target mostly corporate bank accounts, in particular, aiming at a specific regional banking platform used by American banks.
The malware is thought to be created by the same team of criminals known for developing another dangerous trojan – Dyre which has been active until 2015 and reportedly successfully stolen millions of dollars for the Ryanair airline among others. Dyre rapidly stopped operating in 2015 after Russian authorities seized a group of hackers, however, this connection has never been proven definitively.
It’s speculated that some hackers from the group managed to avoid Russian authorities and came together to create Dyre's successor – TrickBot. This version is supported by the fact that TrickBot’s source code appears to be a rewrite of Dyre, albeit upgraded and refined utilizing C++ as opposed to Dyre which mostly utilized C.
Through its lifespan TrickBot developers have upgraded functionality of the virus multiple times, not only adding new features and improving the banking Trojan, but also changing target banks, making their attacks highly unpredictable. Among other updates, TrickBot received support for EternalBlue exploit, thus allowing it to spread over corporate networks. By August 2016 the malware gained email and browser history theft functionality and in September 2016 the virus learned to steal cryptocurrency, by interjecting the normal payment process and stealing the coins when the user fills in personal and payment information on a payment gateway, grabbing the valuable tokens and redirecting them to a wallet that belongs to the hackers.
Trickbot malware analysis
The video created by the ANY.RUN malware hunting service allows us to see the incident as it unfolds.
Figure 1: TrickBot’s lifecycle diagram created in ANY.RUN
ANY.RUN is an interactive virtual sandbox that not only allows to watch the simulation in a safe environment, but also control it with direct human input when necessary. In addition to video simulation, the service provides a variety of useful tools, such as comprehensive text reports.
Figure 2: A text report generated by ANY.RUN
The artifacts can appear in AppData\Local\Temp and AppData\Roaming directories on a contaminated machine. In addition, the malware is sometimes downloaded to the user PC using a batch file. After achieving persistence the malware can reportedly be found in a winapp folder which is located in AppData\Roaming directory.
The virus utilizes a sophisticated method for infections which allows it to stay undetected by antivirus software. Instead of keeping configuration files locally on the user's machine, TrickBot is able to receive this data from C2 in real-time. Particularly, when a victim heads to one of the target web pages, TrickBot intersects the HTTP response of the website while sending the following information to C2:
- A complete URL of the target bank website that the user navigates to
- A whole HTTP query
- HTML code of the webpage that the victim is trying to view
The C2 server then sends a new HTML markup that includes the malicious parts to the user and instead of visiting a bank account, the user ends up on a forged page.
How to avoid infection by TrickBot
Since the virus is often distributed in Microsoft Office files, it needs macros or the editing mode in the Microsoft Office to be activated in order to enter an active phase. As long as both macros are deactivated and the editing mode is switched off, the virus will pose no danger to a PC.
Distribution of TrickBot
TrickBot is distributed with malspam and phishing campaigns that are powered by the Necurs botnet, which has become extremely popular among attackers who utilize the malware-as-a-service business model.
Attackers will usually try to threaten and scare the victim in an effort to make the victim read the email and download any attached files. The Trojan itself manages to get on a victim's machine through an Excel document that contains a macro programmed to download and start the execution of the banking Trojan. However, In some of the more recent campaigns, HTML attachments have been included in the emails. Programmed to download Microsoft Office documents, the use of HTML attachments helps to avoid detection by antivirus software. What’s more, In the very last distribution campaigns, the attackers have started utilizing eFax ploys, tricking victims into clicking on VBS extensions that contain the virus.
TrickBot execution process
The given example is an analysis of the executable file that was performed using the ANY.RUN malware hunting service.
After the file was run it immediately launched the command prompt with commands to stop and delete Windows Defender as well as turn off Windows Defender Real-time Protection using PowerShell.
The virus then utilized CMSTP.exe to bypass user account control and execute the same commands through an auto-elevated COM interface.
After performing the initial steps, the malware added itself to Task Scheduler, thus ensuring that it will be executed later. After a while Task Scheduler ran the malicious code which in turn started the contaminated svchost.exe processes. The svchost.exe process then started the malicious activity, launching itself and stealing credential data.
How to detect Trickbot using ANY.RUN?
This malware creates files which allow to analysts say for sure that this is Trickbot. Open the "Files" tab in the lower part of the task's window and take a look at the created files. Filenames vary according to the bitness of the operating system. You can be sure this is Trickbot if you find these files and folder: systeminfo32 or systeminfo64, injectDll32 or injectDll64 and folder injectDll32_config or injectDll64_config.
Figure 3: Files created by Trickbot
Clever attack techniques utilized by TrickBot creators make this banking Trojan extremely dangerous both to corporate and personal victims. Once infected, a general person is extremely unlikely to find out about the Trojan and identify that the bank account the user is visiting is, in fact, a forged one.
Thankfully, modern simulation services like ANY.RUN allows professionals to study the threat and deploy appropriate security measures.