A TrickBot is malware designed to steal banking information. In 2016, cybercriminals created TrickBot Trojans to steal the banking credentials of unsuspecting victims. The malware is typically spread through email campaigns that entice an individual to open a malicious file attachment or click on a link that leads to a malicious file.
TrickBots are concerning because malware authors have continuously released new, modular versions of the malware that can be distributed through botnets. In March 2020, BitSight researchers found home office networks were 3 1/2 times more likely than a corporate network to have a malware infection and TrickBot malware was observed at least 3 3/4 times more frequently on home office networks.
What can TrickBots do?
What makes this banking Trojan worrisome is that it has evolved since its conception to be modular and expand its possible functions. These functions can include the following:
- Credential theft. Stealing an individual's online credentials for banking services.
- Elevating privileges. Spying on targets to gain access to system and network information and gain access to domain controllers, login credentials and email accounts.
- Installing backdoors to systems. Enabling a system to be accessed remotely as part of a botnet.
- Downloading other malware. TrickBot malware can often download, or be downloaded by, other malware such as Emotet.
- Modifying itself to avoid detection. Because of its modularity, each instance of the TrickBot malware could be different. Individual cybercriminals could customize the malware, making it more effective. For example, hackers have added support to create backdoors in PowerShell, an automation engine and scripting language.
How to protect against TrickBots
One of the first lines of defense against TrickBot malware is to train users on what to look for when receiving emails with links. Since TrickBot malware is most commonly spread through email, if a user can properly identify a malicious or suspicious email and the following attachment, then the malware won't have a chance to be opened. Information technology (IT) departments should help train members of their organization on how to identify potentially malicious emails.
Using antivirus software can also help in the detection of potential attacks on a system. If the attack is successful, the software may also be able to help remove it as well.
Enabling multifactor authentication (MFA) can help prevent TrickBot malware from obtaining all of a user's credentials. Even if an attack is successful, the attackers won't have all the pieces needed to be fully authenticated by a system.
How to detect a Trickbot attack
Typically, users will not notice an attack on their system. A network administrator, however, may notice changes in traffic or an attempt to access unfamiliar Internet Protocol (IP) addresses. This unfamiliar IP address would be the TrickBot malware reaching out to communicate with command and control (C2) servers.
Another effective way of identifying a TrickBot attack is to employ antivirus software. This should enable additional insight into an organization's endpoint devices, systems and networks. Some tools, such as Malwarebytes, may offer features that look for possible indicators of being compromised by TrickBot attacks. In the case of Malwarebytes, Farbar Recovery Scan Tool (FRST) can look for these indicators, called indicators of compromise (IoCs).
How to remove TrickBots
Users can remove a TrickBot infection manually or through the use of antivirus software designed to be able to remove this type of malware. It is recommended to use antivirus software to remove a TrickBot malware infection since manual removal can be complicated.
Generally, to remove TrickBot malware, the infected machines need to first be identified and disconnected from the network. Administrative shares should be disabled, and then the Trojan can be removed. What needs to be done exactly may differ per attack. After the malware is removed, account credentials and passwords should be changed.
Software that can be used to remove TrickBot malware includes Malwarebytes or SpyHunter 5.
Who do TrickBots affect?
TrickBots are mainly a threat to small, medium and large corporate entities. However, they can also still be a threat to individuals as well. Banking credentials and emails can be compromised, and access can be gained to a user's system and network.
In addition to this, the type of victim targeted can change. In the past, nation-states were only going after specific, precise targets. Now, they can also target a broad spread of victims that goes after anyone in the TrickBot botnet.
The United States government has indicated that TrickBot attacks are a large worry concerning elections. The idea is that adversaries could use ransomware attacks initially caused by TrickBot malware to target a system used to maintain voter rolls. They could then stop those systems at a crucial time, which could cause distrust in the system.
In more broad attacks, the sophistication level is low. However, in one single day in November 2020, up to 40,000 active, fully compromised devices were observed.
TrickBots have also been used to target the healthcare and public health sectors. In this case, TrickBot malware is used to inject ransomware for financial gain. This has led to an increased threat to U.S. hospitals and healthcare providers.
Microsoft has recently made an attempt to take action against TrickBot malware. It managed to disrupt TrickBots with a court order combined with technical action executed with the help from telecommunications providers around the world. These actions cut off key infrastructure needed for those operating TrickBots.
Who uses TrickBots?
Singular cybercriminals and cybercriminal groups can both use TrickBot malware, as well as nation-state hackers. Cybercriminal groups can benefit from the TrickBoot module by maintaining persistent access to a victim's network. The idea is to use TrickBot malware to inject ransomware. The attackers will then prompt the user for money in return for removing any backdoors they put in the system. However, if the attack occurred in the firmware, then they could still have access. Attackers could also sell backdoor access to a third party or threaten the organization again in the future.
Generally, attackers who use TrickBot malware are motivated financially.
Anatomy of a TrickBot attack
TrickBot malware will spread through malicious spam email campaigns with infected attachments and embedded URLs. It can also be spread through an attack on Server Message Block (SMB). SMB is a client-server communication protocol used to share access to network resources, such as files, printers and serial ports.
The typical construction of TrickBot malware includes a wrapper, loader and malware module. The wrapper is designed to evade detection by using multiple templates that will change constantly. The main code for the malware will stay the same, but the wrapper will change. The wrapper, when run, will start the loader. The loader is in charge of running the main malware module. Depending on its construction, the loader will decrypt functions before running them and then encrypt them back after. The main malware module creates a scheduled task and decrypts configuration files. The main malware module also has the ability to make a Hypertext Transfer Protocol Secure (HTTPS) connection to a C2 server. This connection will enable the malware to download more modules from that server, as well as enabling the monitoring of downloaded modules and communication between modules. TrickBot malware uses C2 servers to evade network filtering configurations. A BAT file performs reconnaissance commands in order to find domain admins on the network.
A variety of modules can be used, all with different main tasks.
TrickBot malware will send data back to the attackers. Domain names and IP ranges are examples of the data that can be sent. In addition, multiple entry points can be left on the network to inject additional malware in the future.
TrickBot malware has also evolved to target firmware. Called TrickBoot, it is capable of inspecting the Unified Extensible Firmware Interface (UEFI) and basic input/output system (BIOS) firmware of targeted systems. Using that functionality, attackers can search for vulnerabilities that will enable them to essentially take over the firmware of a device, as well as read, write or delete data.