TrickBot

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]

ID: S0266
Associated Software: Totbrick, TSPY_TRICKLOAD
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security; Cybereason Nocturnus, @nocturnus; Omkar Gudhate; FS-ISAC
Version: 2.0
Created: 17 October 2018
Last Modified: 01 October 2021

Associated Software Descriptions

Name Description
Totbrick

[5] [6]

TSPY_TRICKLOAD

[5]

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

TrickBot collects the users of the system.[1][7]

.003 Account Discovery: Email Account

TrickBot collects email addresses from Outlook.[7]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[1][8]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

TrickBot establishes persistence in the Startup folder.[9]

Enterprise T1185 Browser Session Hijacking

TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[2][3][6][7]

Enterprise T1110 .004 Brute Force: Credential Stuffing

TrickBot uses brute-force attack against RDP with rdpscanDll module.[9][10]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers. [11]

.003 Command and Scripting Interpreter: Windows Command Shell

TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.[12]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.[7]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.[7][8][11]

.005 Credentials from Password Stores: Password Managers

TrickBot can steal passwords from the KeePass open source password manager.[8]

Enterprise T1132 .001 Data Encoding: Standard Encoding

TrickBot can Base64-encode C2 commands.[8]

Enterprise T1005 Data from Local System

TrickBot collects local files and information from the victim’s local machine.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

TrickBot decodes the configuration data and modules.[2][8][13]

Enterprise T1482 Domain Trust Discovery

TrickBot can gather information about domain trusts by utilizing Nltest.[14][8]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[2]Newer versions of TrickBot have been known to use bcrypt to encrypt and digitally sign responses to their C2 server. [15]

Enterprise T1041 Exfiltration Over C2 Channel

TrickBot can send information about the compromised host and upload data to a hardcoded C2 server.[8][11]

Enterprise T1210 Exploitation of Remote Services

TrickBot utilizes EternalBlue and EternalRomance exploits for lateral movement in the modules wormwinDll, wormDll, mwormDll, nwormDll, tabDll.[9]

Enterprise T1008 Fallback Channels

TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.[8]

Enterprise T1083 File and Directory Discovery

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.[1][7]

Enterprise T1495 Firmware Corruption

TrickBot module "Trickboot" can write or erase the UEFI/BIOS firmware of a compromised device.[16]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

TrickBot can disable Windows Defender.[7]

Enterprise T1105 Ingress Tool Transfer

TrickBot downloads several additional files and saves them to the victim's machine.[5][11]

Enterprise T1056 .004 Input Capture: Credential API Hooking

TrickBot has the ability to capture RDP credentials by capturing the CredEnumerateA API[12]

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

TrickBot used COM to setup scheduled task for persistence.[9]

Enterprise T1036 Masquerading

The TrickBot downloader has used an icon to appear as a Microsoft Word document.[8]

Enterprise T1112 Modify Registry

TrickBot can modify registry entries.[7]

Enterprise T1106 Native API

TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[1] TrickBot has also used Nt* API functions to perform Process Injection.[13]

Enterprise T1135 Network Share Discovery

TrickBot module shareDll/mshareDll discovers network shares via the WNetOpenEnumA API.[9][10]

Enterprise T1571 Non-Standard Port

Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.[1][2][5] Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. [11]

Enterprise T1027 Obfuscated Files or Information

TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[1]

.002 Software Packing

TrickBot leverages a custom packer to obfuscate its functionality.[1]

Enterprise T1069 Permission Groups Discovery

TrickBot can identify the groups the user on a compromised host belongs to.[8]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware[12]

.002 Phishing: Spearphishing Link

TrickBot has been delivered via malicious links in phishing e-mails.[8]

Enterprise T1542 .003 Pre-OS Boot: Bootkit

TrickBot can implant malicious code into a compromised device's firmware.[16]

Enterprise T1057 Process Discovery

TrickBot uses module networkDll for process list discovery.[9][10]

Enterprise T1055 Process Injection

TrickBot has used Nt* Native API functions to inject code into legitimate processes such as wermgr.exe.[13]

.012 Process Hollowing

TrickBot injects into the svchost.exe process.[1][5][6][8]

Enterprise T1090 .002 Proxy: External Proxy

TrickBot has been known to reach a command and control server via one of nine proxy IP addresses. [15] [11]

Enterprise T1219 Remote Access Software

TrickBot uses vncDll module to remote control the victim machine.[9][10]

Enterprise T1021 .005 Remote Services: VNC

TrickBot has used a VNC module to monitor the victim and collect information to pivot to valuable systems on the network [17][11]

Enterprise T1018 Remote System Discovery

TrickBot can enumerate computers and network devices.[8]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

TrickBot creates a scheduled task on the system that provides persistence.[1][5][6]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

TrickBot has come with a signed downloader component.[8]

Enterprise T1082 System Information Discovery

TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.[1][2][8][16]

Enterprise T1016 System Network Configuration Discovery

TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.[1][7][8]

Enterprise T1033 System Owner/User Discovery

TrickBot can identify the user and groups the user belongs to on a compromised host.[8]

Enterprise T1007 System Service Discovery

TrickBot collects a list of install programs and services on the system’s machine.[1]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.[7][8] Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[12]

.002 Unsecured Credentials: Credentials in Registry

TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key [12]

Enterprise T1204 .002 User Execution: Malicious File

TrickBot has attempted to get users to launch malicious documents to deliver its payload. [12][8]

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

TrickBot has used printf and file I/O loops to delay process execution as part of API hammering.[13]

Groups That Use This Software

ID Name References
G0092 TA505

[18][19]

G0102 Wizard Spider

[20][21][22][4]

References