TrickBot
June 2, 2022
Topics
- advanced persistent threat
- Ransomware
- Malware
June 2, 2022
Topics
The Trickbot malware is a popular trojan used for attacks against financial institutions and other industries. It is also known by various other names such as Wizard Spider, UNC1778, and Gold Blackburn. It first appeared in 2016 and is believed to be a successor to Dyreza because the malware’s code shares certain variable names which implies that the creators of the two were the same.
While initially created just to steal financial data it has evolved to become a full Malware-as-a-Service (MaaS) platform. In 2017 it was given a worm module as well as a module that harvests Outlook credentials. In 2018 it gained the ability to disable Microsoft Defender by abusing a PowerShell command and its encryption was also updated making it harder to analyze. In 2019 they updated their web injection features to be more effective against US mobile carriers. Additionally, its evasion methods have improved as its original cloning module Mworm was replaced by the module Nworm which allows it to run from memory, leaving no trace of its existence on an infected device.
Trickbot is spread like most trojans in the form of spearfishing emails which are fake emails that contain malicious links to download the trojan. These emails usually contain malicious documents or contain malicious links that go to websites hosting malicious JavaScript code that then downloads Trickbot from the attackers C2 server. A specific example is the group TA551 who sent out emails containing an encrypted .zip file containing a malicious document. When the document is opened, the macros within it activate and an .HTA file is dropped on the system. The HTA file then downloads the Trickbot malware from a remote server.
After the initial compromise Trickbot collects information using Windows executables and looks for ways to spread itself within the network. It collects this information along with other sensitive data and sends it to a dedicated command-and-control (C2) server. Since it is a trojan, the purpose of Trickbot is to gain initial access to a network so that it can drop payloads that will exfiltrate the data found on an infected system. It is known to use Cobalt Strike to move laterally through a network and then deploy it's payloads.
As it is an initial access tool the best way to stop its execution is to discover it early on and get it out of your system. To prevent it from entering your system, users need to be cautious about suspicious emails from unknown sources containing vague subjects and attachments. Organizations can also implement a 24/7 monitoring program using a SIEM and EDR solution to catch potential malware after it’s gained access to the network.