TrickBot is a banking Trojan that can steal financial details, account credentials, and personally identifiable information (PII), as well as spread within a network and drop ransomware, particularly Ryuk.


What is TrickBot malware?

TrickBot (or “TrickLoader”) is a recognized banking Trojan that targets both businesses and consumers for their data, such as banking information, account credentials, personally identifiable information (PII), and even bitcoins. As a highly modular malware, it can adapt to any environment or network it finds itself in.

The many tricks this Trojan has done since its discovery in 2016 are attributed to the creativity and agility of its developers. On top of stealing, TrickBot has been given capabilities to move laterally and gain a foothold within an affected network using exploits, propagate copies of itself via Server Message Block (SMB) shares, drop other malware like Ryuk ransomware, and scout for documents and media files on infected host machines.

How does TrickBot spread?

Like Emotet, TrickBot arrives on affected systems in the form of either embedded URLs or infected attachments in malicious spam (malspam) campaigns.

Once executed, TrickBot then spreads laterally within the network by exploiting the SMB vulnerability using either of the three widely known NSA exploits: EternalBlue, EternalRomance, or EternalChampion.

Emotet can also drop TrickBot as part of a secondary infection.

What is the history of TrickBot?

TrickBot started off as a banking information stealer, but nothing about is simple—even right from the beginning.

When Malwarebytes researchers initially found TrickBot in 2016, it already boasted of attributes one does not normally see in “simple” credential stealers. Initially, it targeted financial services and users for banking data. It also drops other malware.

TrickBot has the reputation of being the successor of Dyreza, another credential stealer that first appeared in the wild in 2014. TrickBot shared similarities with Dyreza, such as certain variables with like values and the way TrickBot creators set up the command-and-control (C&C) servers TrickBot communicates with. This has led many researchers to believe that the person or group who created Dyreza also created TrickBot.

In 2017, developers included a worm module in TrickBot, which we believe was inspired by successful ransomware campaigns with worm-like capabilities, such as WannaCry and EternalPetya. The developers also added a module to harvest Outlook credentials. Why Outlook? Well, hundreds of organizations and millions of individuals worldwide usually use this webmail service. The range of data TrickBot steals also widened in range: cookies, browsing history, URLs visited, Flash LSO (Local Shared Objects), and many more.

Although these modules were new at that time, they weren’t coded well.

In 2018, TrickBot continued to exploit the SMB vulnerability. It was also equipped with the module that disables Windows Defender’s real-time monitoring using a PowerShell command. While it had also updated its encryption algorithm, the rest of its module function stayed the same. TrickBot developers also started securing their code from being taken apart by security researchers by incorporating obfuscation elements.

At the end of the year, TrickBot was ranked as the top threat against businesses, overtaking Emotet.

TrickBot developers made some changes to the Trojan in 2019 yet again. Specifically, they made changes to the way the webinject feature works against the US-based mobile carriers, Sprint, Verizon Wireless, and T-Mobile.

Recently, researchers have noted an improvement in this Trojan’s evasion method. Mworm, the module responsible for spreading a copy of itself, was replaced by a new module called Nworm. This new module alters TrickBot’s HTTP traffic, allowing it to run from memory after infecting a domain controller. This ensures that TrickBot doesn’t leave any traces of infection on affected machines.

Who does Trickbot target?

At first, anyone seemed to be a target of TrickBot. But in recent years, its targets appear to have become more specific—like Outlook or T-Mobile users. At times, TrickBot is found masking as a tax-themed spam during tax season.

In 2019, researchers from DeepInstinct found a repository of harvested email addresses and/or messenger credentials from millions of users. These belong to users of Gmail, Hotmail, Yahoo, AOL, and MSN.

How can I protect myself from TrickBot?

Learning how TrickBot works is the first step to knowing how organizations and consumers can protect themselves from it. Here are some other things to pay attention to:

  1. Look for possible Indicators of Compromise (IOC) by running tools specifically designed to do this, such as the Farbar Recovery Scan Tool (FRST). Doing this will identify infected machines within the network.
  2. Once machines are identified, isolate infected machines from the network.
  3. Download and apply patches that addresses the vulnerabilities that TrickBot exploits.
  4. Disable administrative shares.
  5. Change all local and domain administrator passwords.
  6. Protect yourself from a TrickBot infection using a cybersecurity program that has multi-layered protection. Malwarebytes business and premium consumer products detect and block TrickBot in real-time.

How can I remove TrickBot?

TrickBot isn’t perfect, and (as we’ve seen) the developers can get sloppy at times. Importantly, it can be removed. Malwarebytes business solutions can make some of the hard work easier by isolating affected systems, remediating them, and protecting them from future infections of TrickBot and other nasty malware strains.