TrickBot
TrickBot is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre. TrickBot is developed in the C++ programming language. [1] [2] [3]
Associated Software Descriptions
| Name | Description |
|---|---|
| Totbrick | |
| TSPY_TRICKLOAD |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .003 | Account Discovery: Email Account | |
| .001 | Account Discovery: Local Account | |||
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.[1][7] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.[8] |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.[6] |
| Enterprise | T1555 | Credentials from Password Stores |
TrickBot can steal passwords from the KeePass open source password manager.[7] |
|
| .003 | Credentials from Web Browsers |
TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.[6][7] |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
| Enterprise | T1005 | Data from Local System |
TrickBot collects local files and information from the victim’s local machine.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
| Enterprise | T1482 | Domain Trust Discovery |
TrickBot can gather information about domain trusts by utilizing Nltest.[9][7] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[2] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
TrickBot can send information about the compromised host to a hardcoded C2 server.[7] |
|
| Enterprise | T1008 | Fallback Channels |
TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.[7] |
|
| Enterprise | T1083 | File and Directory Discovery |
TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.[1][6] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools | |
| Enterprise | T1105 | Ingress Tool Transfer |
TrickBot downloads several additional files and saves them to the victim's machine.[4] |
|
| Enterprise | T1056 | .004 | Input Capture: Credential API Hooking |
TrickBot has the ability to capture RDP credentials by capturing the |
| Enterprise | T1185 | Man in the Browser |
TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.[2][3][5][6] |
|
| Enterprise | T1036 | Masquerading |
The TrickBot downloader has used an icon to appear as a Microsoft Word document.[7] |
|
| Enterprise | T1112 | Modify Registry | ||
| Enterprise | T1106 | Native API |
TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[1] |
|
| Enterprise | T1571 | Non-Standard Port |
Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.[1][2][4] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.[1] |
|
| .002 | Software Packing |
TrickBot leverages a custom packer to obfuscate its functionality.[1] |
||
| Enterprise | T1069 | Permission Groups Discovery |
TrickBot can identify the groups the user on a compromised host belongs to.[7] |
|
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware[8] |
| .002 | Phishing: Spearphishing Link |
TrickBot has been delivered via malicious links in phishing e-mails.[7] |
||
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing | |
| Enterprise | T1018 | Remote System Discovery | ||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
TrickBot creates a scheduled task on the system that provides persistence.[1][4][5] |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing | |
| Enterprise | T1082 | System Information Discovery |
TrickBot gathers the OS version, machine name, CPU type, amount of RAM available from the victim’s machine.[1][2][7] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.[1][6][7] |
|
| Enterprise | T1033 | System Owner/User Discovery |
TrickBot can identify the user and groups the user belongs to on a compromised host.[7] |
|
| Enterprise | T1007 | System Service Discovery |
TrickBot collects a list of install programs and services on the system’s machine.[1] |
|
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.[6][7] Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.[8] |
| .002 | Unsecured Credentials: Credentials in Registry |
TrickBot has retrieved PuTTY credentials by querying the |
||
| Enterprise | T1204 | .002 | User Execution: Malicious File |
TrickBot has attempted to get users to launch malicious documents to deliver its payload. [8][7] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0092 | TA505 | |
| G0102 | Wizard Spider |
References
- Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
- Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
- Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.
- Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
- Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
- Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
- Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019.
- Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
- Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
- John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
- DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
- Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.