win.trickbot (Back to overview)

TrickBot

aka: Trickster, TheTrick, TrickLoader

Actor(s): WIZARD SPIDER

URLhaus    

A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

- Q4 2016 - Detected in wild
Oct 2016 - 1st Report
Jan 2018 - Use XMRIG (Monero) miner
Feb 2018 - Theft Bitcoin
Mar 2018 - Unfinished ransomware module

Infection Vector
1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot
2. Phish > Attached MS Office > Marco Enabled > Downloader > Trickbot
3. Phish > Attached MS Office > Marco enabled > Trickbot installed

References
https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/
http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html
https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/
http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module
https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre
https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/
http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html
https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer
https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2%80%93-TrickBot-and-Nitol/
https://www.youtube.com/watch?v=KMcSAlS9zGE
https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/
https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/
https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/
http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html
https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/
https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader
https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/
https://blog.fraudwatchinternational.com/malware/trickbot-malware-works
https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/
https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms
https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412
https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot
https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html
https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/
https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html
https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf
https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets
https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/
https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html
https://www.cert.pl/en/news/single/detricking-trickbot-loader/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features
https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/
http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html
https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core
http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot
https://www.youtube.com/watch?v=EdchPEHnohw
https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html
https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html
https://www.youtube.com/watch?v=lTywPmZEU1A
http://www.malware-traffic-analysis.net/2018/02/01/
https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf
https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/