What is TrickBot Malware?

Kurt Baker - October 3, 2023

What is TrickBot Malware?

TrickBot malware is a banking Trojan released in 2016 that has since evolved into a modular, multi-phase malware capable of a wide variety of illicit operations, including:

  • Stealing credentials, data and personal information
  • Elevating account privileges to expand access to the compromised network
  • Installing backdoors within the network to enable remote access
  • Downloading and installing other malware or ransomware to carry out secondary attacks, the most common of which involve Ryuk or Conti ransomware
  • Disabling antivirus tools or other cybersecurity measures, such as Windows Defender
  • Modifying itself to avoid detection

What makes TrickBot highly concerning is its modular nature, which can adapt and evolve to target specific network or environment weaknesses which can then be exploited during follow-on malware or ransomware attacks.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

How does TrickBot malware work?

While the TrickBot malware is known for its evolution and adaptation, many campaigns follow a basic attack sequence:

  1. The TrickBot malware is delivered to the target either through an infected link or attachment.
  2. Once downloaded to the infected device, the user is prompted to enable macros, which installs the TrickBot binary. The malware then uses various models to infect the network and steal data.
  3. To set the stage for future attacks, the TrickBot operators may also attempt to disable antivirus protection.
  4. As part of a secondary attack, TrickBot can spread the malware laterally throughout the network, usually by exploiting a Server Message Block (SMB) vulnerability.
  5. A follow-on attack, such as a Ryuk ransomware attack, is deployed by the TrickBot group.
  6. The attackers manually delete or encrypt backup files and twins.
  7. Ryuk encrypts all system data and initiates the ransomware attack path.

Symptoms of TrickBot Malware

Unfortunately, the user will rarely notice symptoms of a TrickBot infection as it is intended to operate surreptitiously. It is possible that a network administrator may notice symptoms of the attack, such as an unusual change in traffic or an attempt to reach out to foreign or blacklisted domains. However, detecting a TrickBot attack is difficult if not impossible for humans to do given the sprawling and complex nature of most modern cloud or hybrid work environments as well as the sophisticated nature of TrickBot malware.

Organizations must protect themselves with a comprehensive, advanced cybersecurity toolset which will continuously monitor network traffic and other activity in real-time and alert the IT team to suspicious behavior or anomalous activity that must be further investigated.

History of TrickBot Malware

TrickBot originated as a banking information stealer in 2016. It is widely believed that TrickBot shares some links to Dyreza, another highly-effective credential stealer that operated several years prior. TrickBot and Dyreza share many notable operational and structural similarities including the way the malware communicates with command-and-control servers.

One year after its launch, TrickBot evolved to include a worm module, most likely to mimic the successful ransomware campaign, WannaCry. At this point, the creators also developed a module to target Outlook credentials, thus putting millions if not billions or corporate accounts at risk of compromise. This development, as well as other evolutions, allowed TrickBot to expand its capabilities to include harvesting cookies, browser history and other sensitive information. By the end of 2018, TrickBot was considered one of the top cybersecurity threats in the market.

In recent years, cybersecurity specialists have noticed significant improvement in TrickBot’s subversion techniques, making it harder for organizations to detect an active attack.

In addition to stealing financial information or serving as the platform for ransomware attacks, TrickBot may also be used to disrupt critical social services or undermine the democratic process. During the most recent United States presidential election, intelligence agencies confirmed that this malware posed a threat to the safe and fair election processes.

Recent TrickBot news from the CrowdStrike

WIZARD SPIDER Update: Resilient, Reactive and Resolute: Read

Over recent months, WIZARD SPIDER has demonstrated their resilience and dedication to criminal operations by operating multiple ransomware families with differing modi operandi, using TrickBot and BazarLoader to infiltrate victim environments and reacting to attempts to stop them in their tracks.

Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware: Read

WIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER. This actor is a Russia-based criminal group known for the operation of the TrickBot banking malware that had focused primarily on wire fraud in the past.

How to protect against TrickBot Malware?

For enterprise organizations, the first step in protecting against TrickBot malware is awareness. Since humans alone cannot sufficiently monitor and analyze network traffic and activity to detect when an attack is in progress, it is important to develop a comprehensive, end-to-end cybersecurity strategy that protects the organization’s network, endpoints and users through a variety of advanced, intelligent prevention, detection and response capabilities.

These solutions should automate key aspects of the monitoring and analysis process and provide real-time alerts to administrators to help prioritize activity. This includes:

The organization should also take steps to ensure the overall safety of the network through the following cybersecurity best practices. These include:

  • Establishing end-to-end visibility of the network, including all endpoints and users
  • Following the principle of least privilege (POLP), which is a computer security concept and practice that gives users limited access rights based on the tasks necessary to their job
  • Enable a network segmentation strategy to segregate and isolate segments in the enterprise network to reduce the attack surface.
  • Implementing multi-factor authentication (MFA) and other identity security techniques

Since TrickBot attacks are initiated through a malicious link or attachment, it is also important to train employees to practice safe and responsible online behaviors. This includes:

  • Providing cybersecurity training to educate users on common attack techniques
  • Regularly share examples of phishing emails or social engineering campaigns so that people remain vigilant of such techniques
  • Incorporating a banner or other notation to alert employees that an email has originated from an external source
  • Require users to regularly change passwords and ensure strong passwords are used
  • Maintain control of your device and do not let other individuals use it


Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.