Trojan.TrickBot

Trojan.TrickBot, a banking Trojan, seems to be a successor of Dyre, a well-known banking Trojan that was already responsible for numerous attacks around the world. There is certainly a connection between both Trojans. These threats evolve constantly, gaining new features as they defend against new security measures implemented by PC security researchers. Dyre, also known as Dyreza, seems to have evolved into Trojan.TrickBot, a newer banking Trojan.

This Week In Malware Episode 20 Part 2: Bazar Malware Linked to Trickbot Banking Trojan Campaigns to Steal Personal Data

Trojan.TrickBot appeared for the first time in October 2016 and back then it attacked only banks in Australia. Starting from April 2017, attacks against leading banks in the UK, US, Switzerland, Germany, Canada, New Zealand, France, and Ireland have been reported as well. Other names that this Trojan is known under include TheTrick, Trickster, TrickLoader, Trojan.TrickBot.e, etc. One of the newer versions of the malware has been updated to target cryptowallets after cryptomining became popular in late 2017. Also in 2017, the authors of the banking Trojan added a self-spreading component to its code which made the malware capable of self-propagation. Obviously, the goal was to infect as many computers as possible, and even entire networks with Trojan.TrickBot. In 2018, Trojan.TrickBot appeared again with an even broader range of capabilities.

TrickBot Likes to Cooperate with Other Malware Threats

In January 2019, researchers discovered an active campaign of Ryuk ransomware in which targeted victims were previously attacked by Emotet and TrickBot. There is evidence that cybercriminals first delivered Emotet through spam emails and various social engineering techniques. In that scheme, a computer infected with Emotet was used to distribute TrickBot, which in turn, stole sensitive information from that helped the attackers find out whether the victim is a suitable industry target. If so, then they would deploy Ryuk ransomware to the company's network. Previously, in May 2018, TrickBot also cooperated with another banking Trojan- IcedID.

When working on its own, TrickBot typically spreads over corrupted email attachments disguised as a Microsoft Office document with enabled macros. When the file is opened, the malicious scripts execute and stealthily download the malware. TrickBot latest versions from the beginning of 2019 are delivered through seasonally-themed spam emails pretending to come from a large financial consulting company. The emails lure users with tax-related content, promising help with certain US tax issues. However, once opened, the Microsoft Excel spreadsheet attached to the email drop TrickBot on the user's computer.

A Short Analyze Of Trojan.TrickBot’s Predecessor, the Dyre Trojan

The Dyre Trojan, which is associated with an extensive botnet made up of hundreds of thousands of infected computers, attacked tens of thousands of computers around the world in November of 2015. More than one thousand banks and financial institutions may have become compromised by Dyre. This threat's activities stopped in November of 2015, which coincided with the raiding of the offices of a Russian business that was part of the con artists group responsible for Dyre. Unfortunately, it seems that someone that was involved in developing Dyre in 2015 may now be participating in the development of Trojan.TrickBot.

Monitoring the Evolution of the Trojan.TrickBot

Trojan.TrickBot was first detected in September of 2016 in a threat campaign targeting computer users in Australia. Some of the Australian financial institutions that were affected include NAB, St. George, Westpac and ANZ. The initial Trojan.TrickBot attacks involved one collector module. Newer samples of Trojan.TrickBot also include webinjects in their attack, and seem to still be in testing.

There are several reasons why PC security analysts suspect that there is a strong connection between Trojan.TrickBot and Dyre. The loader involved in most attacks is very similar. Once you decode the threats, the similarities become very obvious. This means that many of the con artists that were responsible for the development and implementation of Dyre seem to have become active again, escaping arrest and resuming activities one year after the Dyre attacks. Trojan.TrickBot seems to be a rewritten version of Dyre, keeping many of the same functions but written in a different way. Compared to Dyre, there is a great quantity of code in C++ in the Trojan.TrickBot implementation. Trojan.TrickBot takes advantage of the Microsoft's CryptoAPI rather than having built-in functions for its corresponding encryption operations. The following are the differences between Trojan.TrickBot and Dyre:

• Trojan.TrickBot does not run commands directly but instead interacts with the Task scheduler using COM in order to maintain persistence on the infected computer.
• Rather than using an in-built SHA256 hashing routine or an AES routine, Trojan.TrickBot uses the Microsoft Crypto API.
• While Dyre was written using the programming language C mostly, Trojan.TrickBot uses a larger portion of C++ for its code.
• In addition to attacking large international banks, Trojan.TrickBot can also steal from Bitcoin wallets.
• TrojanTrickBot has the capability to harvest emails and login credentials through the Mimikatz tool.
• New features are also constantly added to Trojan.TrickBot.

These differences, however, seem to indicate that there is a clear relationship between Dyre and Trojan.TrickBot, but that Trojan.TrickBot actually represents a more advanced stage of development of the earlier threat. Trojan.TrickBot is loaded by using the threat loader 'TrickLoader,' which has been associated with several other threats, including Pushdo, Cutwail and Vawtrak. Cutwail, in particular, has been associated with the Dyre threat as well, making it likely that the con artists responsible for Trojan.TrickBot are attempting to rebuild the vast capabilities that they enjoyed with their previous attack.

Operational Details

Trojan.TrickBot is a serious threat for user privacy as its main purpose is to steal user login credentials for online banking websites, Paypal accounts, cryptocurrency wallets, and other financial and personal accounts. The malware uses two techniques to trick its victims into providing the data. The first technique is called static injection and it consists of replacing the login page of the legitimate banking website with a fake one that copies it exactly. The second method is called dynamic injection and it involves hijacking the victim's browser and redirecting it to a server controlled by the operators of the malware each time the user enters a URL that belongs to a targeted banking website. In either case, the login data entered by the user is captured and sent to the Trojan.TrickBot operators, and respectively, can be misused to commit financial fraud.

Trojan.TrickBot is delivered in several different modules and a configuration file. Each of the modules fulfills a specific task, like ensuring the malware's propagation and persistence, stealing credentials, and so on. In order to avoid detection, the malicious modules are injected into legitimate processes, including svchost. Also, TrickBot attempts to disable and delete Windows Defender as another measure to reduce the chance of being detected.

Trojan.TrickBot's installation folder is located in C:\user\AppData\Roaming\%Name%, whereby "%Name%" depends on the particular version of the malware. There is also a copy of TrickBot with a slightly different name in that same folder, as well as a settings.ini file, and a Data folder.  TrickBot ensures its persistence by creating a scheduled task and a service. The name of the task depends on the variant of the malware, it could be named "NetvalTask", for example. The registry entry is generated randomly and located under the service hive, for example, \HKLM\System\CurrentControlSet\Services\{Random_name}\imagePath. The operators of Trojan.TrickBot set up the Command&Control servers with which the malware communicates on hacked wireless routers.

Newer Versions of TrickBot Come with Enhanced Features

In November 2018, updated versions of Trojan.TrickBot hit the malware market, demonstrating more advanced features. Among these is the screen-locking functionality observed in some versions of the malware appearing in the several months before November 2018. Some researchers believed at that time that through this new component the malware authors were aiming at holding the victims for ransom if the Trojan was unable to exfiltrate any banking credentials from the infected computer. Improved capabilities to avoid detection have also been added around November 2018. Yet, an even more dangerous feature was added to Trojan.TrickBot arsenal at that time through a new password-grabbing module called "pwgrab" - the malware was no longer interested in the visited by the user websites only, but it was also able to hijack popular applications and steal saved passwords from there. Apart from that,  TrickBot also started harvesting browsing and system data, like cookies, search terms, history, CPU information, running processes, and so on. Moreover, the Trojan got the ability to update itself once installed on a machine, meaning that an infected computer will always have the latest version of TrickBot regardless of when the initial infection took place.
 
Yet another new version of Trojan.TrickBot was discovered by Trend Micro researchers in January 2019. This new variant added three new capabilities to TrickBot's password-stealing module, designed to target the Virtual Network Computing (VNC), PuTTY, and the Remote Desktop Protocol (RDP) platforms. TrickBot's pwgrab module captures VNC credentials by looking for files containing ".vnc.lnk" in their names within the "%APPDATA%\Microsoft\Windows\Recent", the "%USERPROFILE%\Documents", and the "%USERPROFILE%\Downloads" folders. For grabbing PuTTY and RDP credentials, TrickBot looks in the Software\SimonTatham\Putty\Sessions registry key and uses "the CredEnumerateA API" to identify and steal saved passwords. Then, to identify the username, hostname, and password saved per RDP credential, the malware parses the string "target=TERMSRV." TrickBot downloads a configuration file named "dpost" from the operators' Command&Control server and uses a POST command set up to exfiltrate the VNC, PuTTY, and RDP credentials collected from the infected devices.

In January 2019, researchers also discovered that TrickBot also acts as Access-as-a-Service for other actors - once it infects a machine, it turns it into a bot and creates reverse shells, allowing thus other malware operators to access the infected network and drop their own malicious payloads.

Preventing Trojan.TrickBot Attacks

The best way to prevent Trojan.TrickBot attacks is to make sure that your computer is protected with a reliable, fully updated anti-malware program. Online banking passwords should be strong and a two-step authentication should be implemented. Exercise caution when handling your online banking accounts, avoiding these operations on unknown computers, and scanning your computer regularly for threats with an updated security application.

SpyHunter Detects & Remove Trojan.TrickBot