TrickBot (TrickLoader, Trickster, TheTrick, TrickLoader, Totbrick, TSPY_TRICKLOAD, TrickBot) is a semi-modular, pervasive, banking trojan which has been observed since mid-2016. The malware appears to owe its heritage to the Dyre (aka Dyreza) malware. The malware's primary function is the capturing of victims' consumer financial credentials; however, it has also expanded its capabilities to include capturing of credentials for wealth management firms, and even data that allows it to carry out so-called 'SIM-swapping' attacks.
It is also of note that TrickBot has been observed dropping additional payloads, especially ransomware, including Ryuk and GlobeImposter.
On 04 June 2021 a Latvian national was charged by the US Department of Justice for his role in the TrickBot malware operation.
TrickBot targeting it often done very broadly, aligning to potential victims in regions with financial institutions which TrickBot supports.
The malware is almost exclusively delivered through various phishing campaigns. The typical delivery mechanism is using malicious documents ('maldocs') which either download the malware directly, or download another malware family which serves as a downloader (historically this malware has utilized the RIG Exploit Kit (RIGEK), and the Necurs botnet, but more recently it has relied heavily on Emotet for delivery). Note however that TrickBot has also been seen being delivered through malicious scripts which are zipped and attached to the email.
Upon initial execution, TrickBot determines if it is running in the %APPDATA% (Windows Vista and above) or %Application Data% (Windows XP) folders. If it determines it is beging run from another folder, it copies itself into one of those folders based on the operationg system.
The malware then performs several checks to validate if it is located in an analysis environment, including registry checks to determine if the version of windows is an evaluation version; the malware also checks against the username and hostname; and also checks to determine if it has been executed in a virtual environment.
TrickBot has been observed using scheduled jobs as a means of persistence.
Modules for the malware has been observed being stored in subdirectories directly within %APPDATA% or under the same subdirectory that TrickBot installs itself into.
TrickBot analysis has revealed several modules which are available:
Trickbot Hunt Packages
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
DragonForce is a Ransomware-as-a-Service group targeting global industries with customizable payloads, enabling widespread attacks and persistent extortion through an affiliate-driven model.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.