TrickBot is a type of Trojan banking malware designed to steal financial information from users by infecting computers. Many of its features were inspired by another banking Trojan called Dyreza. In fact, TrickBot was one of the first malicious programs that was able to steal data from Bitcoin wallets.
The numerous tricks this Trojan has performed since its discovery in 2016 are attributed to the creativity and agility of its developers. In addition to stealing, TrickBot has been given capabilities to move laterally and entrench itself within an affected network using exploits, spread copies of itself via Server Message Block (SMB) shares, remove other malware such as Ryuk ransomware, and search documents and media. files on infected host machines.
This threat has an email-based propagation module known as TrickBooster, which is executed once the threat is installed on the computer, sending emails from the compromised accounts and then deleting the messages sent from both the outbox and from sent item folders to avoid detection. Furthermore, it is commonly distributed in Spear Phishing attacks and can also exploit vulnerabilities in the Windows SMB protocol to spread rapidly to other computers within the local network.
TrickBot uses a modular approach to allow attackers to quickly add functionality to the base Trojan as needed once a machine is infected. Attackers take advantage of the modules to add a variety of functionality and new attack vectors. The modules are downloaded from a Command and Control (C2) server to the infected machine in the form of DLL files and a configuration file. These C2 servers are generally hosted on hijacked routers and are constantly changing as updated lists of C2 servers are sent to TrickBot infected machines, making it difficult to use IP blocking rules and other mitigation techniques.
TrickBot’s modular framework enables custom payloads that meet the specific requirements of an attack. This makes this threat a dangerous and adaptable tool for attackers, but at the same time it remains relatively stealthy because unnecessary modules are not included. This threat is evolving very quickly due to its modules which add functionality and flexibility to the malware.
Related reads:
Bizarro dangerous new banking Trojan
Dridex is a malware that targets banking credentials
[…] also:Trickbot malware that steals banking credentialsBizarro dangerous new banking […]