Trojan.TrickBot

Trojan.TrickBot Description

Trojan.TrickBot ScreenshotTrojan.TrickBot, a banking Trojan, seems to be a successor of Dyre, a well-known banking Trojan that was already responsible for numerous attacks around the world. There is certainly a connection between both Trojans. These threats evolve constantly, gaining new features as they defend against new security measures implemented by PC security researchers. Dyre, also known as Dyreza, seems to have evolved into Trojan.TrickBot, a newer banking Trojan.

Trojan.TrickBot appeared for the first time in October 2016 and back then it attacked only banks in Australia. Starting from April 2017, attacks against leading banks in the UK, US, Switzerland, Germany, Canada, New Zealand, France, and Ireland have been reported as well. Other names that this Trojan is known under include TheTrick, Trickster, TrickLoader, Trojan.TrickBot.e, etc. One of the newer versions of the malware has been updated to target cryptowallets after cryptomining became popular in late 2017. Also in 2017, the authors of the banking Trojan added a self-spreading component to its code which made the malware capable of self-propagation. Obviously, the goal was to infect as many computers as possible, and even entire networks with Trojan.TrickBot. In 2018, Trojan.TrickBot appeared again with an even broader range of capabilities.

TrickBot Likes to Cooperate with Other Malware Threats

In January 2019, researchers discovered an active campaign of Ryuk ransomware in which targeted victims were previously attacked by Emotet and TrickBot. There is evidence that cybercriminals first delivered Emotet through spam emails and various social engineering techniques. In that scheme, a computer infected with Emotet was used to distribute TrickBot, which in turn, stole sensitive information from that helped the attackers find out whether the victim is a suitable industry target. If so, then they would deploy Ryuk ransomware to the company's network. Previously, in May 2018, TrickBot also cooperated with another banking Trojan- IcedID.

When working on its own, TrickBot typically spreads over corrupted email attachments disguised as a Microsoft Office document with enabled macros. When the file is opened, the malicious scripts execute and stealthily download the malware. TrickBot latest versions from the beginning of 2019 are delivered through seasonally-themed spam emails pretending to come from a large financial consulting company. The emails lure users with tax-related content, promising help with certain US tax issues. However, once opened, the Microsoft Excel spreadsheet attached to the email drop TrickBot on the user's computer.

A Short Analyze Of Trojan.TrickBot's Predecessor, the Dyre Trojan

The Dyre Trojan, which is associated with an extensive botnet made up of hundreds of thousands of infected computers, attacked tens of thousands of computers around the world in November of 2015. More than one thousand banks and financial institutions may have become compromised by Dyre. This threat's activities stopped in November of 2015, which coincided with the raiding of the offices of a Russian business that was part of the con artists group responsible for Dyre. Unfortunately, it seems that someone that was involved in developing Dyre in 2015 may now be participating in the development of Trojan.TrickBot.

Monitoring the Evolution of the Trojan.TrickBot

Trojan.TrickBot was first detected in September of 2016 in a threat campaign targeting computer users in Australia. Some of the Australian financial institutions that were affected include NAB, St. George, Westpac and ANZ. The initial Trojan.TrickBot attacks involved one collector module. Newer samples of Trojan.TrickBot also include webinjects in their attack, and seem to still be in testing.

There are several reasons why PC security analysts suspect that there is a strong connection between Trojan.TrickBot and Dyre. The loader involved in most attacks is very similar. Once you decode the threats, the similarities become very obvious. This means that many of the con artists that were responsible for the development and implementation of Dyre seem to have become active again, escaping arrest and resuming activities one year after the Dyre attacks. Trojan.TrickBot seems to be a rewritten version of Dyre, keeping many of the same functions but written in a different way. Compared to Dyre, there is a great quantity of code in C++ in the Trojan.TrickBot implementation. Trojan.TrickBot takes advantage of the Microsoft's CryptoAPI rather than having built-in functions for its corresponding encryption operations. The following are the differences between Trojan.TrickBot and Dyre:

  • Trojan.TrickBot does not run commands directly but instead interacts with the Task scheduler using COM in order to maintain persistence on the infected computer.
  • Rather than using an in-built SHA256 hashing routine or an AES routine, Trojan.TrickBot uses the Microsoft Crypto API.
  • While Dyre was written using the programming language C mostly, Trojan.TrickBot uses a larger portion of C++ for its code.
  • In addition to attacking large international banks, Trojan.TrickBot can also steal from Bitcoin wallets.
  • TrojanTrickBot has the capability to harvest emails and login credentials through the Mimikatz tool.
  • New features are also constantly added to Trojan.TrickBot.

These differences, however, seem to indicate that there is a clear relationship between Dyre and Trojan.TrickBot, but that Trojan.TrickBot actually represents a more advanced stage of development of the earlier threat. Trojan.TrickBot is loaded by using the threat loader 'TrickLoader,' which has been associated with several other threats, including Pushdo, Cutwail and Vawtrak. Cutwail, in particular, has been associated with the Dyre threat as well, making it likely that the con artists responsible for Trojan.TrickBot are attempting to rebuild the vast capabilities that they enjoyed with their previous attack.

Operational Details

Trojan.TrickBot is a serious threat for user privacy as its main purpose is to steal user login credentials for online banking websites, Paypal accounts, cryptocurrency wallets, and other financial and personal accounts. The malware uses two techniques to trick its victims into providing the data. The first technique is called static injection and it consists of replacing the login page of the legitimate banking website with a fake one that copies it exactly. The second method is called dynamic injection and it involves hijacking the victim's browser and redirecting it to a server controlled by the operators of the malware each time the user enters a URL that belongs to a targeted banking website. In either case, the login data entered by the user is captured and sent to the Trojan.TrickBot operators, and respectively, can be misused to commit financial fraud.

Trojan.TrickBot is delivered in several different modules and a configuration file. Each of the modules fulfills a specific task, like ensuring the malware's propagation and persistence, stealing credentials, and so on. In order to avoid detection, the malicious modules are injected into legitimate processes, including svchost. Also, TrickBot attempts to disable and delete Windows Defender as another measure to reduce the chance of being detected.

Trojan.TrickBot's installation folder is located in C:\user\AppData\Roaming\%Name%, whereby "%Name%" depends on the particular version of the malware. There is also a copy of TrickBot with a slightly different name in that same folder, as well as a settings.ini file, and a Data folder.  TrickBot ensures its persistence by creating a scheduled task and a service. The name of the task depends on the variant of the malware, it could be named "NetvalTask", for example. The registry entry is generated randomly and located under the service hive, for example, \HKLM\System\CurrentControlSet\Services\{Random_name}\imagePath. The operators of Trojan.TrickBot set up the Command&Control servers with which the malware communicates on hacked wireless routers.

Newer Versions of TrickBot Come with Enhanced Features

In November 2018, updated versions of Trojan.TrickBot hit the malware market, demonstrating more advanced features. Among these is the screen-locking functionality observed in some versions of the malware appearing in the several months before November 2018. Some researchers believed at that time that through this new component the malware authors were aiming at holding the victims for ransom if the Trojan was unable to exfiltrate any banking credentials from the infected computer. Improved capabilities to avoid detection have also been added around November 2018. Yet, an even more dangerous feature was added to Trojan.TrickBot arsenal at that time through a new password-grabbing module called "pwgrab" - the malware was no longer interested in the visited by the user websites only, but it was also able to hijack popular applications and steal saved passwords from there. Apart from that,  TrickBot also started harvesting browsing and system data, like cookies, search terms, history, CPU information, running processes, and so on. Moreover, the Trojan got the ability to update itself once installed on a machine, meaning that an infected computer will always have the latest version of TrickBot regardless of when the initial infection took place.
 
Yet another new version of Trojan.TrickBot was discovered by Trend Micro researchers in January 2019. This new variant added three new capabilities to TrickBot's password-stealing module, designed to target the Virtual Network Computing (VNC), PuTTY, and the Remote Desktop Protocol (RDP) platforms. TrickBot's pwgrab module captures VNC credentials by looking for files containing ".vnc.lnk" in their names within the "%APPDATA%\Microsoft\Windows\Recent", the "%USERPROFILE%\Documents", and the "%USERPROFILE%\Downloads" folders. For grabbing PuTTY and RDP credentials, TrickBot looks in the Software\SimonTatham\Putty\Sessions registry key and uses "the CredEnumerateA API" to identify and steal saved passwords. Then, to identify the username, hostname, and password saved per RDP credential, the malware parses the string "target=TERMSRV." TrickBot downloads a configuration file named "dpost" from the operators' Command&Control server and uses a POST command set up to exfiltrate the VNC, PuTTY, and RDP credentials collected from the infected devices.

In January 2019, researchers also discovered that TrickBot also acts as Access-as-a-Service for other actors - once it infects a machine, it turns it into a bot and creates reverse shells, allowing thus other malware operators to access the infected network and drop their own malicious payloads.

Preventing Trojan.TrickBot Attacks

The best way to prevent Trojan.TrickBot attacks is to make sure that your computer is protected with a reliable, fully updated anti-malware program. Online banking passwords should be strong and a two-step authentication should be implemented. Exercise caution when handling your online banking accounts, avoiding these operations on unknown computers, and scanning your computer regularly for threats with an updated security application.

Do You Suspect Your PC May Be Infected with Trojan.TrickBot & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Trojan.TrickBot as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

File System Details

Trojan.TrickBot creates the following file(s):
# File Name Size MD5 Detection Count
1 %SYSTEMDRIVE%\Users\BGauntt\appdata\roaming\g5oh55whi0gwuxpxgzk4eor6b13mic147vjm66pab5x8f1oc76rp76vnsbbx_26t.exe\g5oh55whi0gwuxpxgzk4eor6b13mic147vjm66pab5x8f1oc76rp76vnsbbx_26t.exe 546,612 00701daadc3d41e975f0b307954b75bf 247
2 %SYSTEMDRIVE%\grahic.exe\grahic.exe 401,920 58c5675a26dc8f81670a75e4d01b2150 196
3 %SYSTEMDRIVE%\tumpex.exe\tumpex.exe 446,464 295945614fbdb1f363340c3a778a753d 196
4 %SYSTEMDRIVE%\shima.exe\shima.exe 606,208 e7f594dacc2d36f1d60289515280bdea 159
5 c:tmpax.exe 709,248 8f29d0d9e64b2c60ee7406a1b4e6e533 153
6 %SYSTEMDRIVE%\swupd.exe\swupd.exe 630,784 ab2685a8c4ad66e3c959aa625117f965 140
7 %SYSTEMDRIVE%\swype.exe\swype.exe 806,912 8d6572f1f3efa7ffd3daccafcc777a7c 133
8 %SYSTEMDRIVE%\Users\BGauntt\appdata\roaming\s31c9enber4pm5jpxok3djjv49n4r9bwcnyd1_l09v9yh07d33vn1dy47uwjiyxb.exe\s31c9enber4pm5jpxok3djjv49n4r9bwcnyd1_l09v9yh07d33vn1dy47uwjiyxb.exe 630,784 9921475a696aadbb0956bec618dd990d 132
9 %SYSTEMDRIVE%detar.exe 606,208 5d5370e2a5b0a36263c83604f18edb94 107
10 %SYSTEMDRIVE%\shera.exe\shera.exe 546,612 ca5a2501c7eba21240665901b1b033c2 98
11 %SYSTEMDRIVE%\compar.exe\compar.exe 396,800 8897352420f4ae8d9b49c66aeac503e7 68
12 %SYSTEMDRIVE%\Users\Administrador.CAMAREAD\appdata\roaming\38f90w23pxzj4xrnkgba5c1yyji60rrixxs5mpiuf_dctt6ca4du1ff_ilkimkjc.exe\38f90w23pxzj4xrnkgba5c1yyji60rrixxs5mpiuf_dctt6ca4du1ff_ilkimkjc.exe 462,848 f78810a80635175cbd988d4ef097e361 38
13 %SYSTEMDRIVE%\Users\BGauntt\appdata\roaming\okw1q1dy2p7agx5r124xjev2siuue2f2yo135qs26f3atzci7u2g3s71b7riqjpq.exe\okw1q1dy2p7agx5r124xjev2siuue2f2yo135qs26f3atzci7u2g3s71b7riqjpq.exe 482,766 68cabfe9cff08560addda0af513262f4 36
14 c:cmslase.exe 443,392 26d27317025124ac585c1a463e2986e4 23
15 c:wotrer.exe 962,560 0450e57c7fb70c44bd4fc95cafc061da 23
16 c:fudpe.exe 256,512 514274e4a6af9ff841e67fd9a464ee12 13
17 c:\windows\system32\setup.exe 394,240 1da7e97a565c4636fe8d63aa890d6c22 11
18 %WINDIR%\system32\config\systemprofile\boof.exe 306,176 6d50ff0c945099137dd830303f7aa664 8
19 %SYSTEMDRIVE%stsvc.exe 556,032 31edfed69186b203531b81bf50561949 6
20 c:\users\default\appdata\roaming\appnet\tetuq.exe 299,008 6bb1e2585207ee171c7609cf79fdaea8 4
21 c:monter.exe 323,584 25a2930568080b56c849557993062735 1
22 7dfc76beb5d8fc3b1ecf4de9ac204ad2 3,396 7dfc76beb5d8fc3b1ecf4de9ac204ad2 0
More files

Registry Details

Trojan.TrickBot creates the following registry entry or registry entries:
Directory
%APPDATA%\AMNI
%APPDATA%\chromedata
%APPDATA%\cleanmem
%APPDATA%\CloudApp
%APPDATA%\diskram
%APPDATA%\GpuSettings
%APPDATA%\gpuTools
%APPDATA%\mscache
%APPDATA%\mslibrary
%APPDATA%\netcache
%APPDATA%\netrest
%APPDATA%\NetSocket
%APPDATA%\nocsys
%APPDATA%\safessd
%appdata%\services
%APPDATA%\smcvs
%APPDATA%\temporx
%APPDATA%\vcneo
%APPDATA%\winnet
%APPDATA%\WNetval
%APPDATA%\wnetwork
%APPDATA%\WSOG
%LOCALAPPDATA%\runningpost
%WINDIR%\System32\config\systemprofile\AppData\Roaming\AMNI
%WINDIR%\System32\config\systemprofile\AppData\Roaming\GpuSettings
%WINDIR%\System32\config\systemprofile\AppData\Roaming\gpuTools
%WINDIR%\System32\config\systemprofile\AppData\Roaming\services
%WINDIR%\System32\config\systemprofile\AppData\Roaming\vcneo
%WINDIR%\System32\config\systemprofile\AppData\Roaming\wnetwork
%WINDIR%\System32\config\systemprofile\AppData\Roaming\WSOG
Regexp file mask
%APPDATA%\[RANDOM CHARACTERS].exe
%HOMEDRIVE%\mssvca.exe
%HOMEDRIVE%\mswvc.exe
%HOMEDRIVE%\stcvc.exe
%HOMEDRIVE%\stsvc.exe
%LOCALAPPDATA%\TempQce34.exE
%UserProfile%\Local Settings\Application Data\TempQce34.exE
File name without path
44893m9uh88g9l9_nkubyhu6vfxxbh989xo7hlttkppzf29ttdu6kwppk_11c1jl.exe

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their PC with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your PC. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.