TrickBot: Not Your Average Hat Trick – A Malware with Multiple Hats

TrickBot: Not Your Average Hat Trick – A Malware with Multiple Hats

TrickBot: Not Your Average Hat Trick – A Malware with Multiple Hats

Part 1 in a series on Malware

TrickBot originated as a banking credential theft Trojan, but is now considered a modular malware enterprise with sophisticated system reconnaissance, persistence capabilities, and an association with follow-on ransomware infections. The MS-ISAC continues to monitor TrickBot’s capabilities and the threats it poses to MS-ISAC members.

TrickBot is a distant descendant of the ZeuS banking Trojan that emerged in 2005, but is most often traced back to Dyre or Dyreza, which went offline in 2015. TrickBot emerged in 2016, reusing aspects of Dyre’s code and retaining its banking credential harvesting capabilities and web inject infrastructure. TrickBot is now a malware empire with numerous plugin modules, cryptomining and persistence capabilities, and a growing association with follow-on ransomware infections. Beginning in June 2019, the MS-ISAC observed an increasingly close relationship between initial TrickBot infections and eventual Ryuk ransomware attacks. TrickBot also caught the attention of government and private entities in fall 2020, when it was reported that U.S. Cyber Command and private sector partners acted to blunt TrickBot’s reach and reduce chances its operators could interfere with 2020 U.S. election infrastructure. [1]

Technical Overview

TrickBot is often disseminated via malspam campaigns or dropped by other malware like the recently dismantled Emotet. Malspam lures delivering TrickBot leverage themes such as invoices, holiday greeting cards, traffic violations, and the COVID-19 pandemic. [2]

While security researchers have observed numerous infection vectors, the most common initial infection vector is malspam containing malicious macro-laden office documents.

Upon opening a malicious document, the end user is prompted to enable macros, which executes a base64 obfuscated VBScript to download the initial TrickBot binary from an external server. TrickBot will also use a number of publicly available resources, such as icanhazip[.]com[3] to determine the victim’s external IP address. Once executed, TrickBot writes itself to disk in the %AppData%Roaming% folder. TrickBot then unpacks itself with an obfuscated and encoded bot key unique to that infected machine.[4]

TrickBot also attempts to disable antivirus protection like Windows Defender and creates a scheduled task at system startup to ensure persistence.

After these initial actions on target, TrickBot is now able to receive commands and updated bot configurations, as well as load additional plugin modules as dynamic link library (DLL) files within the %Data% folder. TrickBot uses the unique bot key assigned to that machine to decrypt follow-on DLL plugins. In 2019, security researcher Vitali Kremez noted that TrickBot is capable of a User Account Control (UAC) bypass on both Windows 7 and Windows 10, allowing TrickBot to run or make changes to a system without a prompt requesting user authorization.[5]

Credential Theft

For traditional credential theft, TrickBot utilizes web injects to steal banking credentials and browser cookies. TrickBot uses two types of web injects:

Command and Control

TrickBot boasts resilient command and control (C2) infrastructure and a follow-on exploitation framework. It uses several types of infrastructure to support its array of functions and to withstand government and private sector takedown attempts. The CTAs operating TrickBot are constantly varying and replacing C2 infrastructure, making tracking and takedowns very difficult. TrickBot’s server types and functions include:

The actors behind TrickBot also make use of EmerDNS infrastructure as a backup control channel in the event of aggressive mitigation efforts by security organizations.[6] EmerDNS is associated with top level domains like [.]bazar, [.]lib, and [.]emc, and advertises it cannot be “altered, revoked, or suspended by any authority.”[7] TrickBot’s operators also frequently add and rotate infrastructure in order to evade law enforcement and security company takedown efforts.

TrickBot’s operators use embedded group tags (“gtags”) to uniquely identify and track specific TrickBot campaigns. The specific gtag and a unique bot identifier are hard-coded in the Uniform Resource Identifiers (URIs) when TrickBot communicates with its C2 servers. These gtags[8] allow the operators to track TrickBot campaigns while working in tandem with other malware families or distribution methods. For example:

Tricks on Tricks on Tricks

After the initial infection, TrickBot utilizes plugin modules to execute its many functions. These functions include credential theft, system profiling and reconnaissance, and network propagation.

Core TrickBot Modules

Credential Stealers

Information Harvesting

System/Network Reconnaissance

Network Propagation

Advanced Persistence/Anchor

TrickBot is also able to deploy an advanced persistence capability dubbed ‘Anchor’ by security researcher Vitali Kremez.  This bespoke capability is used for high-value targets where persistence is especially valuable for a CTA. This subset and its modules are detailed below:


A TrickBot infection has several implications for an affected organization. Though it is worth noting that TrickBot was potentially dropped by a precursor malware, the graver threat is the possibility of a follow-on ransomware attack. If CTAs deem the compromised environment a worthy (i.e., lucrative) target, CTAs are likely to deploy a strain of ransomware, such as Conti or Ryuk across the impacted entity.


Preventing TrickBot Infections:

Responding to a TrickBot Infection:

[3] Please note that icanhazip[.]com is a legitimate service

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.