TrickBot malware

What is TrickBot malware?

TrickBot is sophisticated modular malware that started as a banking Trojan but has evolved to support many different types of attacks, including ransomware. TrickBot often spreads through phishing campaigns that entice individuals to open malicious attachments or click on links that lead to malicious files.

Cybercriminals originally created TrickBot as a banking Trojan in 2016 to steal financial credentials. Since then, its authors have continuously released new versions of the malware. Because it is modular, attackers can tailor TrickBot to support diverse cybercriminal activities across a variety of IT environments.

Since it first appeared in 2016, TrickBot has consistently ranked among the most dangerous malware strains.

What can TrickBot do?

With its evolution into modular malware, TrickBot has gained greater functionality and adaptability. It is capable of the following:

• Credential theft. Stealing a consumer's online banking credentials or an enterprise user's corporate credentials.
• Data theft. Exfiltrating an organization's data to attackers' servers.
• Persistence. Establishing and maintaining a secret presence in the network, often via a backdoor that enables remote access, to support lateral movement and ongoing illicit activity.
• Botnets. Connecting victims' devices to cybercriminals' command and control (C2) servers, for use in illegal botnet activity.
• Distribution of other malware. Downloading other malware, such as remote access tools and ransomware.
• Reconnaissance. Collecting information about systems and networks for future use.

How to protect against TrickBot

One of the first lines of defense against TrickBot malware is to train users on what to look for when receiving emails with links. Since TrickBot malware is most commonly spread through email, if a user can properly identify a malicious or suspicious email and the following attachment, then the malware won't have a chance to spread. IT departments should train members of their organizations on how to identify potentially malicious emails.

Using antivirus software can also help in the detection of potential attacks on a system. If the attack is successful, the software may also be able to help remove it.

Enabling multifactor authentication can help prevent TrickBot malware from obtaining all of a user's credentials. Even if an attack is successful, the attackers won't have all the pieces needed to be fully authenticated by a system.

How to detect a TrickBot attack

Typically, users will not notice an attack on their system. A network administrator, however, may notice changes in traffic or an attempt to access unfamiliar IP addresses. This unfamiliar IP address would be the TrickBot malware reaching out to communicate with C2 servers.

Another way to identify a TrickBot attack is with antivirus software, which can look for indicators of compromise across an organization's endpoint devices, systems and networks. Sometimes, however, TrickBot may successfully disable antivirus tools.

How to remove TrickBot infections

Users can remove a TrickBot infection manually or through the use of antivirus software designed to be able to remove this type of malware. Experts typically recommend relying on antivirus software to remove a TrickBot malware infection since manual removal can be complicated.

Generally, to remove TrickBot malware, the infected machines need to first be identified and disconnected from the network. Administrative shares should be disabled, and then the Trojan can be removed. Exact requirements differ on a case-by-case basis. After the malware is removed, account credentials and passwords should be changed.

Who does TrickBot malware affect?

TrickBot is mainly a threat to small, medium and large corporate entities, although cybercriminals may use it to target individual consumers as well.

The United States government has indicated concern over the potential for TrickBot and other ransomware attacks to disrupt elections. Adversaries could use them to target voter-roll systems, with the aim of sowing distrust in the electoral system.

Cybercriminals have also used TrickBot to target many other sectors, such as healthcare. In these cases, the malware is often used to inject ransomware for financial gain.

In 2020, a private-sector coalition led by Microsoft disrupted the TrickBot infrastructure, using a court order combined with technical action, which telecommunications providers around the world helped execute. These actions successfully cut TrickBot operators off from key infrastructure. But the resulting TrickBot reprieve did not last long, with researchers soon reporting a resurgence in the malware's activity.

Who uses TrickBot malware?

Singular cybercriminals, organized cybercriminal groups and nation-state hackers can all use TrickBot malware. Generally, attackers who use TrickBot malware are financially motivated.

Anatomy of a TrickBot attack

TrickBot malware spreads through malicious spam email campaigns with infected attachments and embedded URLs. It can also spread through an attack on Server Message Block (SMB). SMB is a client-server communication protocol used to share access to network resources, such as files, printers and serial ports.

The typical construction of TrickBot malware includes a wrapper, loader and malware module. The wrapper is designed to evade detection by using multiple templates that change constantly. The main code for the malware stays the same, but the wrapper changes. The wrapper, when run, will start the loader. The loader is in charge of running the main malware module. Depending on its construction, the loader will decrypt functions before running them and then encrypt them back after. The main malware module creates a scheduled task and decrypts configuration files. The main malware module also has the ability to make a Hypertext Transfer Protocol Secure connection to a C2 server. This connection enables the malware to download more modules from that server, as well as enabling the monitoring of downloaded modules and communication between modules. TrickBot malware uses C2 servers to evade network filtering configurations. A BAT file performs reconnaissance commands in order to find domain admins on the network.

Attackers can use a variety of modules to accomplish different tasks.

TrickBot malware send data, such as domain names and IP ranges, back to the attackers. In addition, malicious hackers can leave multiple entry points on the network for injecting additional malware in the future.

TrickBot malware has also evolved to target firmware. Called TrickBoot, it is capable of inspecting the Unified Extensible Firmware Interface and BIOS firmware of targeted systems. Using that functionality, attackers can search for vulnerabilities that will enable them to essentially take over the firmware of a device, as well as read, write or delete data.