Malicious Activity Report: Trickbot Loader

Malicious Activity Report: Trickbot Loader

Recent activity from a Trickbot campaign targeting the insurance and legal sector1 shows that the botnet is still a threat, despite U.S. Cyber Command’s attempt to disrupt it in October 2020.2 Given the potential impact of this threat, we are releasing this detailed report on Trickbot’s functionality to provide our customers and security researchers with the knowledge to prepare for and defend from potential Trickbot-related threats.

In this report, we describe Trickbot’s packer and process execution chain, provide insight on identifiers generated by the malware, as well as detail its signature verification and persistence techniques. We include an explanation of the configuration and how it is decrypted during execution, along with an overview of the network flow and the capabilities of the command and control (C&C) protocol.

Trickbot uses string encryption, and so to support other researchers, our full report includes a script to decrypt strings embedded in the sample we analyzed.

Trickbot, first observed in 2016,3 has transformed from a standard banking trojan into a highly modular loader used by financially-motivated cybercriminals, as well as by threat actors linked to nation state activities.4 Trickbot is sold as malware-as-a-service (MaaS) and has been linked to multiple security events5 in the past.

We have seen Trickbot-related indicators, as well as malspam campaigns distributing Trickbot in our own data sources. Since its first appearance in 2016, the malware authors behind Trickbot have developed different kinds of modules6 for capabilities such as:

Trickbot is polymorphic, and as a result, the behavior and characteristics may differ between variants.

Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.

Cyber Intel Unit

With 10 years of experience, the Infoblox Cyber Intelligence Unit creates, aggregates and curates information on threats to provide actionable intelligence that is high quality, timely and reliable. Threat information from Infoblox minimizes false positives, so you can be confident in what you are blocking, while ensuring unified security policy across the entire security infrastructure.

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.