What is TrickBot?
TrickBot was originally developed in 2016 as a Windows banking trojan intended to capture Personally Identifiable Information (PII) to commit fraud. TrickBot primarily used spear-phishing as an attack vector to target high-level corporate executives and compromise their banking information. TrickBot has been modified and evolved over the last couple of years into a multipurpose trojan capable of spreading through an organization via SMB exploits.
TrickBot now utilizes a modular framework, allowing attackers to tailor the malware to their target environment. The trojan often backdoors compromised endpoints, allowing for remote access and the ability to download additional modules, allowing for quick and flexible persistence across a network. It is also capable of being both injected by other malware and injecting its own malware into a system.
Modularity- TrickBot’s Swiss Army Knife
How TrickBot Uses Modules
TrickBot uses a modular approach to allow attackers to quickly add functionality to the base trojan as needed once a machine is infected. Attackers leverage modules to add a variety of functionality and new attack vectors. Modules are downloaded from a Command and Control (C2) server onto the infected machine in the form of DLLs and a configuration file. These C2 servers are usually hosted on hijacked routers and change constantly as updated C2 server lists are pushed to TrickBot infected machines, making it hard to employ IP blocking rules and other mitigation techniques.
What Makes TrickBot Modules Dangerous?
The modular framework of TrickBot enables customized payloads that meet the specific requirements of an attack. This turns TrickBot into an extremely dangerous and adaptable tool for attackers, but at the same time staying relatively stealthy due to unneeded modules not being included. Since modules can be added to TrickBot after deployment, payload size can be dramatically reduced by only including what is necessary to get a foothold into the system, and then downloading additional modules once the machine has been infected.
Modules for TrickBot are continually in development, evolving TrickBot even further. Much of the media attention that TrickBot has received in the last year has been the result of security researchers discovering new TrickBot modules and “strains” at an alarming pace. These modules are adding functionality and flexibility to the malware, making TrickBot even more dangerous than it already is.
Modules Developed for TrickBot
Malicious actors have developed a wide range of modules for TrickBot in the last few years. Each module changes how TrickBot can be used, adding functionality and increasing the threat of TrickBot. Here are just a few of the modules that have been discovered by security researchers:
- Steal financial info from banking websites via web injects
- Spread via Word Doc and PDF
- Hijack domain emails to more effectively send phishing emails from trusted accounts
- Disable Windows Defender completely
- Obtain system information and map out a network
- Harvest Domain credentials and configs from DC via LDAP
- And many more…
Power in Numbers
TrickBot does not always operate on its own- TrickBot has been observed being frequently used with other malware in the wild. Malicious actors build TrickBot into their malware campaigns because it is extremely flexible and can spread laterally quickly.
TrickBot does not need to infect a machine itself, it can be “dropped in” by other malware. An example of this is the use of TrickBot with Emotet, another banking trojan. Emotet will initially infect a system, and then will deploy TrickBot to spread laterally across a network.
TrickBot is also able to deploy its own malware and is commonly seen deploying ransomware, commonly the ransomware “Ryuk”. TrickBot can perform intelligence gathering on a network, and attackers can use this info to specifically target critical machines like backup servers and devices containing PII and deploy ransomware like Ryuk.
What Can You Do to Mitigate TrickBot Attacks?
TrickBot attacks can be devastating, but mitigation strategies are both simple and effective. Consider implementing some or all of these strategies to guard your organization against TrickBot Attacks.
- Make sure that you are employing anti-phishing techniques such as email filtering or marking external emails. Additionally, make sure to employ social engineering and phishing training to all employees, especially higher-level executives who may not be participating in lower-level employee training.
- Disable SMBv1 require at least SMBv2 to make it harder for TrickBot to spread laterally
- Ensure Windows security updates and patches are pushed promptly. As TrickBot evolves, so does Windows.
- Restrict unknown applications ability to execute on machines using AppLocker or a similar solution.
- Monitor traffic with an IDS solution to identify TrickBot C2 communications
- Keep up to date on evolving TrickBot Indicators of Compromise (IoCs) and incorporate them into monitoring and endpoint security solutions
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.