1. Home
  2. Software
  3. TrickBot

TrickBot

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]

ID: S0266
Associated Software: Totbrick, TSPY_TRICKLOAD
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security; Cybereason Nocturnus, @nocturnus; Omkar Gudhate; FS-ISAC
Version: 2.2
Created: 17 October 2018
Last Modified: 10 April 2024

Associated Software Descriptions

Name Description
Totbrick

[5] [6]
TSPY_TRICKLOAD

[5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.[7][8][9]
.005 从密码存储中获取凭证: Password Managers

TrickBot can steal passwords from the KeePass open source password manager.[8]
Enterprise T1005 从本地系统获取数据

TrickBot collects local files and information from the victim’s local machine.[1]
Enterprise T1090 .002 代理: External Proxy

TrickBot has been known to reach a command and control server via one of nine proxy IP addresses. [10] [9]
Enterprise T1036 伪装

The TrickBot downloader has used an icon to appear as a Microsoft Word document.[8]
Enterprise T1112 修改注册表

TrickBot can modify registry entries.[7]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.[7]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[2]Newer versions of TrickBot have been known to use bcrypt to encrypt and digitally sign responses to their C2 server. [10]
Enterprise T1140 反混淆/解码文件或信息

TrickBot decodes the configuration data and modules.[2][8][11]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

TrickBot establishes persistence in the Startup folder.[12]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers. [9]
.003 命令与脚本解释器: Windows Command Shell

TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.[13]
Enterprise T1008 回退信道

TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.[8]
Enterprise T1495 固件篡改

TrickBot module "Trickboot" can write or erase the UEFI/BIOS firmware of a compromised device.[14]
Enterprise T1482 域信任发现

TrickBot can gather information about domain trusts by utilizing Nltest.[15][8]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

TrickBot can disable Windows Defender.[7]
Enterprise T1071 .001 应用层协议: Web Protocols

TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[1][8]
Enterprise T1132 .001 数据编码: Standard Encoding

TrickBot can Base64-encode C2 commands.[8]
Enterprise T1083 文件和目录发现

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.[1][7]
Enterprise T1110 .004 暴力破解: Credential Stuffing

TrickBot uses brute-force attack against RDP with rdpscanDll module.[12][16]
Enterprise T1552 .001 未加密凭证: Credentials In Files

TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.[7][8] Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[13]
.002 未加密凭证: Credentials in Registry

TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key [13]
Enterprise T1106 本机API

TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[1] TrickBot has also used Nt* API functions to perform Process Injection.[11]
Enterprise T1069 权限组发现

TrickBot can identify the groups the user on a compromised host belongs to.[8]
Enterprise T1185 浏览器会话劫持

TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[2][3][6][7]
Enterprise T1027 混淆文件或信息

TrickBot uses non-descriptive names to hide functionality.[1]
.002 Software Packing

TrickBot leverages a custom packer to obfuscate its functionality.[1]
.013 Encrypted/Encoded File

TrickBot uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[1]
Enterprise T1204 .002 用户执行: Malicious File

TrickBot has attempted to get users to launch malicious documents to deliver its payload. [13][8]
Enterprise T1082 系统信息发现

TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.[1][2][8][14]
Enterprise T1033 系统所有者/用户发现

TrickBot can identify the user and groups the user belongs to on a compromised host.[8]
Enterprise T1007 系统服务发现

TrickBot collects a list of install programs and services on the system’s machine.[1]
Enterprise T1016 系统网络配置发现

TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.[1][7][8]
Enterprise T1135 网络共享发现

TrickBot module shareDll/mshareDll discovers network shares via the WNetOpenEnumA API.[12][16]
Enterprise T1497 .003 虚拟化/沙盒规避: Time Based Evasion

TrickBot has used printf and file I/O loops to delay process execution as part of API hammering.[11]
Enterprise T1087 .001 账号发现: Local Account

TrickBot collects the users of the system.[1][7]
.003 账号发现: Email Account

TrickBot collects email addresses from Outlook.[7]
Enterprise T1105 输入工具传输

TrickBot downloads several additional files and saves them to the victim's machine.[5][9]
Enterprise T1056 .004 输入捕获: Credential API Hooking

TrickBot has the ability to capture RDP credentials by capturing the CredEnumerateA API[13]

Enterprise T1057 进程发现

TrickBot uses module networkDll for process list discovery.[12][16]
Enterprise T1055 进程注入

TrickBot has used Nt* Native API functions to inject code into legitimate processes such as wermgr.exe.[11]
.012 Process Hollowing

TrickBot injects into the svchost.exe process.[1][5][6][8]
Enterprise T1559 .001 进程间通信: Component Object Model

TrickBot used COM to setup scheduled task for persistence.[12]
Enterprise T1021 .005 远程服务: VNC

TrickBot has used a VNC module to monitor the victim and collect information to pivot to valuable systems on the network [17][9]
Enterprise T1210 远程服务漏洞利用

TrickBot utilizes EternalBlue and EternalRomance exploits for lateral movement in the modules wormwinDll, wormDll, mwormDll, nwormDll, tabDll.[12]
Enterprise T1018 远程系统发现

TrickBot can enumerate computers and network devices.[8]
Enterprise T1219 远程访问软件

TrickBot uses vncDll module to remote control the victim machine.[12][16]
Enterprise T1041 通过C2信道渗出

TrickBot can send information about the compromised host and upload data to a hardcoded C2 server.[8][9]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware[13]
.002 钓鱼: Spearphishing Link

TrickBot has been delivered via malicious links in phishing e-mails.[8]
Enterprise T1564 .003 隐藏伪装: Hidden Window

TrickBot has used a hidden VNC (hVNC) window to monitor the victim and collect information stealthily.[18]
Enterprise T1571 非标准端口

Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.[1][2][5] Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. [9]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

TrickBot creates a scheduled task on the system that provides persistence.[1][5][6]
Enterprise T1542 .003 预操作系统引导: Bootkit

TrickBot can implant malicious code into a compromised device's firmware.[14]
Enterprise T1553 .002 颠覆信任控制: Code Signing

TrickBot has come with a signed downloader component.[8]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[19][20][21][4][22][23]
G0092 TA505

[24][25]

References

  1. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  2. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  3. Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.
  4. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  5. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  6. Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
  7. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  8. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  9. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  10. Liviu Arsene, Radu Tudorica. (2020, November 23). TrickBot is Dead. Long Live TrickBot!. Retrieved September 28, 2021.
  11. Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.
  12. Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021.
  13. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
  1. Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021.
  2. Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019.
  3. Tudorica, R., Maximciuc, A., Vatamanu, C. (2020, March 18). New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong. Retrieved March 15, 2021.
  4. Ionut Illascu. (2021, July 14). Trickbot updates its VNC module for high-value targets. Retrieved September 10, 2021.
  5. Cybereason Nocturnus. (n.d.). Triple Threat: Emotet Deploys TrickBot to Steal Data & Spread Ryuk. Retrieved November 28, 2023.
  6. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  7. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  8. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  9. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  10. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  11. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  12. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.