Definition

TrickBot malware

Alexander S. Gillis

By

Alexander S. Gillis, Technical Writer and Editor

What is TrickBot malware?

TrickBot is sophisticated modular malware that started as a banking Trojan but has evolved to support many different types of attacks, including ransomware. TrickBot often spreads through phishing campaigns that entice individuals to open malicious attachments or click on links that lead to malicious files.

Cybercriminals originally created TrickBot as a banking Trojan in 2016 to steal financial credentials. Since then, its authors have continuously released new versions of the malware. Because it is modular, attackers can tailor TrickBot to support diverse cybercriminal activities across a variety of IT environments.

Since it first appeared in 2016, TrickBot has consistently ranked among the most dangerous malware strains.

What can TrickBot do?

With its evolution into modular malware, TrickBot has gained greater functionality and adaptability. It is capable of the following:

Credential theft. Stealing a consumer's online banking credentials or an enterprise user's corporate credentials.
Data theft. Exfiltrating an organization's data to attackers' servers.
Persistence. Establishing and maintaining a secret presence in the network, often via a backdoor that enables remote access, to support lateral movement and ongoing illicit activity.
Botnets. Connecting victims' devices to cybercriminals' command and control (C2) servers, for use in illegal botnet activity.
Distribution of other malware. Downloading other malware, such as remote access tools and ransomware.
Reconnaissance. Collecting information about systems and networks for future use.

How to protect against TrickBot

One of the first lines of defense against TrickBot malware is to train users on what to look for when receiving emails with links. Since TrickBot malware is most commonly spread through email, if a user can properly identify a malicious or suspicious email and the following attachment, then the malware won't have a chance to spread. IT departments should train members of their organizations on how to identify potentially malicious emails.

Using antivirus software can also help in the detection of potential attacks on a system. If the attack is successful, the software may also be able to help remove it.

Enabling multifactor authentication can help prevent TrickBot malware from obtaining all of a user's credentials. Even if an attack is successful, the attackers won't have all the pieces needed to be fully authenticated by a system.

How to detect a TrickBot attack

Typically, users will not notice an attack on their system. A network administrator, however, may notice changes in traffic or an attempt to access unfamiliar IP addresses. This unfamiliar IP address would be the TrickBot malware reaching out to communicate with C2 servers.

Another way to identify a TrickBot attack is with antivirus software, which can look for indicators of compromise across an organization's endpoint devices, systems and networks. Sometimes, however, TrickBot may successfully disable antivirus tools.

How to remove TrickBot infections

Users can remove a TrickBot infection manually or through the use of antivirus software designed to be able to remove this type of malware. Experts typically recommend relying on antivirus software to remove a TrickBot malware infection since manual removal can be complicated.

Generally, to remove TrickBot malware, the infected machines need to first be identified and disconnected from the network. Administrative shares should be disabled, and then the Trojan can be removed. Exact requirements differ on a case-by-case basis. After the malware is removed, account credentials and passwords should be changed.

Who does TrickBot malware affect?

TrickBot is mainly a threat to small, medium and large corporate entities, although cybercriminals may use it to target individual consumers as well.

The United States government has indicated concern over the potential for TrickBot and other ransomware attacks to disrupt elections. Adversaries could use them to target voter-roll systems, with the aim of sowing distrust in the electoral system.

Cybercriminals have also used TrickBot to target many other sectors, such as healthcare. In these cases, the malware is often used to inject ransomware for financial gain.

In 2020, a private-sector coalition led by Microsoft disrupted the TrickBot infrastructure, using a court order combined with technical action, which telecommunications providers around the world helped execute. These actions successfully cut TrickBot operators off from key infrastructure. But the resulting TrickBot reprieve did not last long, with researchers soon reporting a resurgence in the malware's activity.

Who uses TrickBot malware?

Singular cybercriminals, organized cybercriminal groups and nation-state hackers can all use TrickBot malware. Generally, attackers who use TrickBot malware are financially motivated.

Anatomy of a TrickBot attack

TrickBot malware spreads through malicious spam email campaigns with infected attachments and embedded URLs. It can also spread through an attack on Server Message Block (SMB). SMB is a client-server communication protocol used to share access to network resources, such as files, printers and serial ports.

The typical construction of TrickBot malware includes a wrapper, loader and malware module. The wrapper is designed to evade detection by using multiple templates that change constantly. The main code for the malware stays the same, but the wrapper changes. The wrapper, when run, will start the loader. The loader is in charge of running the main malware module. Depending on its construction, the loader will decrypt functions before running them and then encrypt them back after. The main malware module creates a scheduled task and decrypts configuration files. The main malware module also has the ability to make a Hypertext Transfer Protocol Secure connection to a C2 server. This connection enables the malware to download more modules from that server, as well as enabling the monitoring of downloaded modules and communication between modules. TrickBot malware uses C2 servers to evade network filtering configurations. A BAT file performs reconnaissance commands in order to find domain admins on the network.

Attackers can use a variety of modules to accomplish different tasks.

TrickBot malware send data, such as domain names and IP ranges, back to the attackers. In addition, malicious hackers can leave multiple entry points on the network for injecting additional malware in the future.

TrickBot malware has also evolved to target firmware. Called TrickBoot, it is capable of inspecting the Unified Extensible Firmware Interface and BIOS firmware of targeted systems. Using that functionality, attackers can search for vulnerabilities that will enable them to essentially take over the firmware of a device, as well as read, write or delete data.

This was last updated in April 2023

Continue Reading About TrickBot malware

10 common types of malware attacks and how to prevent them

U.S., U.K. hit TrickBot cybercrime gang with sanctions

Top 14 ransomware targets in 2023 and beyond

4 types of ransomware and a timeline of attack examples

Dig Deeper on Data security and privacy

Networking

Top 5 use cases for 5G augmented and virtual reality
By integrating augmented and virtual reality technologies with 5G, several industries could reap significant benefits. But beware...
Palo Alto Networks SASE Converge updates boost security, UX
With the announcement of its latest SASE portfolio updates and the acquisition of Talon, Palo Alto Networks connects the dots ...
5G Advanced features include accurate timing, AI support
5G Advanced is the latest 5G specification, aiming to deliver enhanced massive MIMO, 5G integration with AI and accurate location...

CIO

8 blockchain security risks to weigh before adoption
Blockchain and smart contracts have their own unique vulnerabilities. But poor code testing, cryptographic keys and generic ...
How AI is radically changing business process management
Deploying AI's discovery and automation capabilities in BPM powers advancements in front-office processes, process data analysis,...
Former OpenAI CEO gains strong legal backing with Microsoft
Should ousted OpenAI CEO Sam Altman be involved in any federal investigations going forward, he now has the legal backing of ...

Enterprise Desktop

The 6 best rugged computers for business use cases
Finding the right device for a business scenario can be challenging, and adding rugged conditions to the mix can complicate ...
What IT admins and office workers get in MS 365 Copilot
Microsoft 365's Copilot assistive AI features come with a big price tag, but experts are bullish that they could return the ...
Observations from the intersection of UCC and EUC
End-user computing tends to overlap with numerous other business technologies, such as cloud computing, security and mobility. ...

Cloud Computing

Evaluate serverless computing best practices
Serverless computing strategies require enterprises to evaluate tools, features and costs, while understanding application ...
Hybrid cloud connectivity best practices and considerations
Private and public clouds stress networks in different ways and don't always play well together. Here's what to know to set up a ...
Use resource tagging to optimize cloud costs
When it comes to cost management in cloud computing, tags and additional metadata can help with reporting, allocation and ...

ComputerWeekly.com

The all-flash datacentre: Mirage or imminent reality?
Some say disk is dead and we’re on the cusp of the all-flash datacentre. But when will flash capacity and cost hit a point where ...
Prepare for your worst day: How to create a cyber incident response plan
What goes into a good incident response plan, and what steps should security professionals take to ensure they are appropriately ...
AWS debuts model evaluation tool in Bedrock
The Model Evaluation tool in Bedrock will help organisations evaluate and test large language models that are best suited to ...

Close