TrickBot malware is a banking Trojan released in 2016 that has since evolved into a modular, multi-phase malware capable of a wide variety of illicit operations, including:
- Stealing credentials, data and personal information
- Elevating account privileges to expand access to the compromised network
- Installing backdoors within the network to enable remote access
- Downloading and installing other malware or ransomware to carry out secondary attacks, the most common of which involve Ryuk or Conti ransomware
- Disabling antivirus tools or other cybersecurity measures, such as Windows Defender
- Modifying itself to avoid detection
What makes TrickBot highly concerning is its modular nature, which can adapt and evolve to target specific network or environment weaknesses which can then be exploited during follow-on malware or ransomware attacks.
2021 CrowdStrike Global Threat Report
Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.Download Now
How does TrickBot malware work?
While the TrickBot malware is known for its evolution and adaptation, many campaigns follow a basic attack sequence:
- The TrickBot malware is delivered to the target either through an infected link or attachment.
- Once downloaded to the infected device, the user is prompted to enable macros, which installs the TrickBot binary. The malware then uses various models to infect the network and steal data.
- To set the stage for future attacks, the TrickBot operators may also attempt to disable antivirus protection.
- As part of a secondary attack, TrickBot can spread the malware laterally throughout the network, usually by exploiting a Server Message Block (SMB) vulnerability.
- A follow-on attack, such as a Ryuk ransomware attack, is deployed by the TrickBot group.
- The attackers manually delete or encrypt backup files and twins.
- Ryuk encrypts all system data and initiates the ransomware attack path.
Symptoms of TrickBot Malware
Unfortunately, the user will rarely notice symptoms of a TrickBot infection as it is intended to operate surreptitiously. It is possible that a network administrator may notice symptoms of the attack, such as an unusual change in traffic or an attempt to reach out to foreign or blacklisted domains. However, detecting a TrickBot attack is difficult if not impossible for humans to do given the sprawling and complex nature of most modern cloud or hybrid work environments as well as the sophisticated nature of TrickBot malware.
Organizations must protect themselves with a comprehensive, advanced cybersecurity toolset which will continuously monitor network traffic and other activity in real-time and alert the IT team to suspicious behavior or anomalous activity that must be further investigated.
History of TrickBot Malware
TrickBot originated as a banking information stealer in 2016. It is widely believed that TrickBot shares some links to Dyreza, another highly-effective credential stealer that operated several years prior. TrickBot and Dyreza share many notable operational and structural similarities including the way the malware communicates with command-and-control servers.
One year after its launch, TrickBot evolved to include a worm module, most likely to mimic the successful ransomware campaign, WannaCry. At this point, the creators also developed a module to target Outlook credentials, thus putting millions if not billions or corporate accounts at risk of compromise. This development, as well as other evolutions, allowed TrickBot to expand its capabilities to include harvesting cookies, browser history and other sensitive information. By the end of 2018, TrickBot was considered one of the top cybersecurity threats in the market.
In recent years, cybersecurity specialists have noticed significant improvement in TrickBot’s subversion techniques, making it harder for organizations to detect an active attack.
In addition to stealing financial information or serving as the platform for ransomware attacks, TrickBot may also be used to disrupt critical social services or undermine the democratic process. During the most recent United States presidential election, intelligence agencies confirmed that this malware posed a threat to the safe and fair election processes.
Recent TrickBot news from the CrowdStrike
WIZARD SPIDER Update: Resilient, Reactive and Resolute: Read
Over recent months, WIZARD SPIDER has demonstrated their resilience and dedication to criminal operations by operating multiple ransomware families with differing modi operandi, using TrickBot and BazarLoader to infiltrate victim environments and reacting to attempts to stop them in their tracks.
Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware: Read
WIZARD SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER. This actor is a Russia-based criminal group known for the operation of the TrickBot banking malware that had focused primarily on wire fraud in the past.
How to protect against TrickBot Malware?
For enterprise organizations, the first step in protecting against TrickBot malware is awareness. Since humans alone cannot sufficiently monitor and analyze network traffic and activity to detect when an attack is in progress, it is important to develop a comprehensive, end-to-end cybersecurity strategy that protects the organization’s network, endpoints and users through a variety of advanced, intelligent prevention, detection and response capabilities.
These solutions should automate key aspects of the monitoring and analysis process and provide real-time alerts to administrators to help prioritize activity. This includes:
- Monitoring for Indicators of Compromise (IOC) and Indicators of Attack (IOA)
- Isolating infected machines from the network
- Updating and patching the network and software applications to address system vulnerabilities
- Alerting the cybersecurity team to anomalous behavior or unusual network activity
The organization should also take steps to ensure the overall safety of the network through the following cybersecurity best practices. These include:
- Establishing end-to-end visibility of the network, including all endpoints and users
- Following the principle of least privilege (POLP), which is a computer security concept and practice that gives users limited access rights based on the tasks necessary to their job
- Enable a network segmentation strategy to segregate and isolate segments in the enterprise network to reduce the attack surface.
- Implementing multi-factor authentication (MFA) and other identity security techniques
Since TrickBot attacks are initiated through a malicious link or attachment, it is also important to train employees to practice safe and responsible online behaviors. This includes:
- Providing cybersecurity training to educate users on common attack techniques
- Regularly share examples of phishing emails or social engineering campaigns so that people remain vigilant of such techniques
- Incorporating a banner or other notation to alert employees that an email has originated from an external source
- Require users to regularly change passwords and ensure strong passwords are used
- Maintain control of your device and do not let other individuals use it