TrickBot

TrickBot is a banking trojan that deploys advanced browser manipulation techniques, server-side injections and redirection attacks. TrickBot was considered a true banking trojan in October 2016 when it implemented web injection capabilities. The trojan’s primary targets are business accounts. TrickBot originally targeted Australian banks, one Canadian bank, and regional US banks through a regular expression (RegEx) URL for a digital banking platform. Since adding the two new configurations in November 2016, the malware has targeted personal and business banking websites of financial institutions in the United Kingdom, Australia, New Zealand, Canada, and Germany, including redirection attacks – an advanced method to manipulate what victims see in their browsers – against four banks in the UK. Additionally, TrickBot has been spread using the RIG exploit kit through malvertising, by email attachments claiming to be a fax message, and by infected Microsoft Office macros using the Godzilla loader. IBM Security Intelligence researchers believe TrickBot’s operations are likely connected to the Cutwail botnet’s malware and it uses the same crypter as Vawtrak, Pushdo, and Cutwail. The trojan is very similar to the Dyre trojan which also used the Cutwail botnet as one of its distribution methods.

Reporting

  • November 2016: TrickBot activity rises with redirection attacks in the United Kingdom. (IBM Security Intelligence)

  • April 2017: TrickBot added new redirection attacks focused on a list of private banking firms. Activity also increased to five campaigns in April, mainly targeting Australian, New Zealand, and U.K. companies. (IBM Security Intelligence)

  • June 2017: Increasingly used in campaigns targeting e-banking apps, PayPal accounts, and business customer relationship management (CRMs). (BleepingComputer)

  • July 2017: A new, Necurs botnet-powered Trickbot spam campaign is infecting customers of financial institutions in the U.S., U.K., New Zealand, France, Australia, Norway, Swedish, Iceland, Finland, Canada, Italy, Spain, Switzerland, Luxembourg, Belgium, Singapore, and Denmark. (Flashpoint)

  • July 2017: TrickBot added a self-spreading capability via a new SMB worm module that allows the trojan to propagate to nearby devices on the same network. (Flashpoint)

  • August 2017: Researchers at Cyren discovered a new TrickBot phishing campaign targeting Lloyds Bank customers. The trojan redirects victims to a fake login page that's indistinguishable from Lloyds' legitimate site and displays the correct URL and SSL certificate. (Cyren)

  • November 2017: QtBot dropper used to distribute Trickbot. (Palo Alto Networks)

  • November 2017: Trickbot is delivered through phishing emails coming from the typo-squatted domain <secure@sage-invoices[.]com> and claims to be a Sage invoice. (My Online Security)

  • March 2017: A new version of the TrickBot trojan includes a screenlocker component, currently under development, suggesting the malware's operators might soon begin holding victims for ransom. (BleepingComputer)

  • April 2018: New Trickbot plugin squlDll harvests email addresses from SQL servers. Also includes a screenlocking module not used as a ransomware component. (Fortinet)

  • October 2018: TrickBot has a new module, pwgrab32, for stealing credentials from applications such as Filezilla, Microsoft Outlook, and WinSCP. (Trend Micro)

  • November 2018: What’s new in TrickBot? Deobfuscating elements (Malwarebytes Labs)

  • November 2018: TrickBot Banking Trojan Starts Stealing Windows Problem History (Bleeping Computer)

  • November 2018: A new POS malware feature was added. The new module scans an infected computer for indicators that it’s connected to a network that supports POS services and machines. (Trend Micro)

Technical Details

  • IBM’s X-Force provides a technical analysis of the TrickBot banking trojan here.

Trojan VariantsNJCCICTrickBot