Author: Andreas Klopsch
Recent activity from a Trickbot campaign targeting the insurance and legal sector1 shows that the botnet is still a threat, despite U.S. Cyber Command’s attempt to disrupt it in October 2020.2 Given the potential impact of this threat, we are releasing this detailed report on Trickbot’s functionality to provide our customers and security researchers with the knowledge to prepare for and defend from potential Trickbot-related threats.
In this report, we describe Trickbot’s packer and process execution chain, provide insight on identifiers generated by the malware, as well as detail its signature verification and persistence techniques. We include an explanation of the configuration and how it is decrypted during execution, along with an overview of the network flow and the capabilities of the command and control (C&C) protocol.
Trickbot uses string encryption, and so to support other researchers, our full report includes a script to decrypt strings embedded in the sample we analyzed.
Trickbot, first observed in 2016,3 has transformed from a standard banking trojan into a highly modular loader used by financially-motivated cybercriminals, as well as by threat actors linked to nation state activities.4 Trickbot is sold as malware-as-a-service (MaaS) and has been linked to multiple security events5 in the past.
We have seen Trickbot-related indicators, as well as malspam campaigns distributing Trickbot in our own data sources. Since its first appearance in 2016, the malware authors behind Trickbot have developed different kinds of modules6 for capabilities such as:
- Stealing banking information,
- System/network reconnaissance,
- Credential and user information harvesting,
- Network propagation, and
- Achieving persistence in a victim’s environment.
Trickbot is polymorphic, and as a result, the behavior and characteristics may differ between variants.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.