TrickBot Trojan: A Short Analysis of the Modular Banking Malware

TrickBot is a well known modular banking trojan that sometimes acts as an info-stealer or malware dropper. Active since 2016, it has been updated several times with new features and modulations. Recently, it was used along with Ryuk ransomware to target several organizations.

Top targets

TrickBot is used in various attack campaigns to provide a gateway inside a targeted network and act as a dropper to deploy additional ransomware (e.g., Conti, Ryuk, and Emotet). However, it is mostly used to steal information from financial institutions located in the U.S.
  • In August 2020, it was used in Emotet’s spam campaign sending COVID-19 related emails to U.S. businesses.
  • In the month of July, TrickBot was observed being installed along with Emotet to infect Windows computers.
  • In April 2020, TrickBot operators were also observed to be taking advantage of the coronavirus pandemic by sending spam emails related to the Department of Labor FMLA theme.

Modus operandi

TrickBot used several techniques of propagation ranging from smishing, COVID-19 lures, and spam emails, to brute-forcing Remote Desktop Protocol (RDP) endpoints and using the mworm module.
  • TrickBot's Anchor malware platform known as “Anchor_DNS” was ported to infect Linux devices in July.
  • At the beginning of July, TrickBot started a new technique of evading detection by checking the screen resolutions of victims to identify if they are running virtual machines or not.
  • In early-June 2020, the TrickBot operators were found to be using the BazarBackdoor to gain access to targeted networks.

Other associations

TrickBot uses a custom crypter “Cutwail,” which is used by a group that spreads the Dyre banking trojan. Therefore, experts are of opinion that the developers of Dyre could have helped in developing TrickBot. Moreover, Ryuk uses the same infrastructure as TrickBot and is often observed being used with Emotet. These observations led to the conclusion that all these three malware are operated by the same criminal group known as “Wizard Spider.”

Key takeaways

The modular TrickBot continues to receive updates with new features to evade detection. Thus, all home and corporate users must follow basic security practices: update their operating systems, avoid opening documents and emails from unknown senders, use reliable anti-malware solutions, and stay alert of common hacking techniques.