Although Trickbot was first identified in late 2016, it quickly transformed into a Malware-as-a-service (MaaS) from being a well-established banking trojan. The malware is used by ideologically and financially motivated threat actors and cybercriminals alike.
The trickbot phishing campaigns differ from victim to victim as they encompass personal and financial data, and also deploy ransomware threats like “Ryuk” and “Conti.” Trickbot payload distribution may also be reminiscent of “Emotet” and “BazarLoader.”
Malware distribution and phishing go hand-in-hand, and the same can be seen for Trickbot. Common themes, for instance, business-related notifications or invoices are used to lure the victims into downloading weaponized Microsoft Office attachments.
The targets vary from country to country and range from the financial sector to the healthcare sector. Operations led by Microsoft’s Digital Crimes Unit (DCU) have also been conducted against the group in October of 2020. The assumption was that the group would be eliminated, and although the attempt eliminated 94% of trickbot’s infrastructure, the group has regained its standing by adding new servers.
The capabilities of Trickbot are diverse and multitudinous; Ranging from Data theft to lateral movement, to persistence, to reconnaissance, and also remote access. The modules include:
Phishing emails disguising malware inside Microsoft Excel spreadsheets were noted in the mid of December 2020. The emails lure victims by masquerading as legitimate business communications. A victim (Figure 1) receives an email that the sent spreadsheet has been encrypted by ‘DocuSign’ and can be decrypted by clicking ‘Enable Editing’ and ‘Enable Content.’ The purpose of the email is to lure the victim into the opening and downloading the main Trickbot payload.
The macro “URLDownloadToFile” is used in this campaign to download the Trickbot payload from a specified URL (Figure 2).
The malicious dynamic-link library (DLL) is loaded by executing the already downloaded Trickbot executable payload, ‘rundll32.’ The entry point used is DllRegisterServer: rundll32 C:\\IntelCompany\\JIOLAS.RRTTOOKK,DllRegisterServer.
The absence of an entry point, for instance, if executed in an automated analysis environment, results in some benign execution and therefore causes the threat to be ignored.
Trickbot, Having been successfully loaded, then performs DLL injection into the legitimate Windows Error Reporting executable wermgr.exe before terminating the previous process (Figure 3).
The C2 infrastructure (command and control) is called upon by Trickbot once it is executed. The C2 infrastructure is called to download additional modules and act on the threat actor’s objectives.
Trickbot attempts to request consent from several servers as multiple C2 server IP addresses are being observed in memory, potentially done to improve resilience. Notably, in addition to the commonly utilized ports 443, 449, and 499, numerous other IP addresses were also observed with other common ports. /<GTAG>/<CLIENT_ID>/<COMMAND>/<PARAMETERS>
Phishing is a two-way indirect attack that requires actions from the victim to take full effect. This means that practicing healthy online habits can help mitigate these threats. The following remediations and mitigation techniques help secure systems from Trickbot: