Trickbot

01/09/2020

Report #: 202001091000
Agenda

• Overview
• Attack vectors and initial execution
• Persistence and propagation
• References
• Questions

Image courtesy of ZDNet

Slides Key:
Non-Technical: managerial, strategic
and high-level (general audience)
Technical: Tactical / IOCs; requiring
in-depth knowledge (sysadmins, IRT)

TLP: WHITE, ID# 202001091000 2

Overview
• AKA Trickster, TrickLoader and TheTrick
• Modular malware, described as a
banking trojan
• Similar to Dyreza, an old credential-stealer
• Probably operated and maintained by the same
group - code similarities and circumstances
• Used by: Wizard Spider (likely Russian
cybercriminals)
Name is in
• What separates TrickBot from the crowd? the code
• Constantly evolving (and increasingly powerful)
• Frequently used to target a variety of
organizations
• Nothing that TrickBot does is unique
• Aggregate capabilities make it a powerful
tool
• Offered as Access-as-a-Service
• Frequently used to target healthcare organizations and
providers
• Often utilized in combination with other malware
in multi-staged attacks

Images courtesy of Malwarebytes

TLP: WHITE, ID# 202001091000 3

Attack vectors and initial execution

• TrickBot uses standard attack vectors for infection:

• Malvertising – The use of advertising –
legitimate or fake – to surreptitiously deliver
TrickBot to victim system
• SpearPhishing – E-mails with malicious links or
attachments that specifically target
organizational leadership
• Network vulnerabilities – SMB (Server
Message Block) and RDP (Remote Desktop
Protocol) are common
• Secondary payload – Sometimes dropped by
other malware (second stage), often Emotet
• Execution – multiple layers
• First layer contains encrypted payload
• Attempts to conceal TrickBot from
detection
• Uses AES or ECC encryption
• Second layer is the main bot loader
• Will deploy either 32-bit or 64-bit payload

Image courtesy of Malwarebytes

TLP: WHITE, ID# 202001091000 4

Persistence and propagation

• TrickBot maintains access via the creation of a scheduled task

• Further spreading/lateral movement:
• EternalBlue exploit
• DLLs
• PowerShell Empire
• Vulnerable network shares

Image courtesy of Malwarebytes

TLP: WHITE, ID# 202001091000 5

TrickBot functionality overview

• Data exfiltration
• Banking/Financial information
• System/Network reconnaissance
• Credential and user info harvesting
• Network propagation
“TrickBot was developed in 2016
• Remote control (C2) as a banking malware, however,
• Dropper (Rig Expliot Kit, Ryuk) since then it has developed into
something essentially different –
• Persistence (scheduled task or registry key) a flexible, universal, module-
• Code injection based crimeware solution” –
Sentinel Labs
• Anti-detection/analysis
• SIM-swapping

TLP: WHITE, ID# 202001091000 6

Common TrickBot Modules

• Data exfiltration
• TrickBot often leverages open redirections and server side injects to steal banking credentials.
• What is an open redirect?
• When a user-submitted link directs a web app/server to redirect the user to a malicious
webpage instead.

• [Link]
als/

• TrickBot has many modules to steal banking info

• Dinj – File contains banking information; Uses server side web injections
• Dpost – Most of the data exfiltrated by TrickBot is sent to the dpost IP address.
• LoaderDll/InjectDll – Monitors for banking website activity; Leverages web injects to steal
financial data.
• Sinj – Retains information on targeted online banks; Utilizes redirection attacks (fake web
injections) to exfiltrate financial data

TLP: WHITE, ID# 202001091000 7

Common TrickBot Modules (continued)

• System/Network Reconnaissance
• Mailsearcher – Compares all files on the disk against a list of file extensions.
• NetworkDll – Collects system information and maps networks
• Systeminfo – Provides hackers with basic system information for reconnaissance purposes

• Credential harvesting
• DomainDll – Uses LDAP to harvest credentials and configuration data from domain controller by
accessing shared SYSVOL files.
• ModuleDll/ImportDll – Harvests browser data – cookies and browser configs.
• OutlookDll – Harvests saved MS Outlook credentials by querying registry keys
• Pwgrab – Steals credentials, autofill data, history, and other information from browsers as well as
several software applications
• SqulDll – Forces WDigest authentication; Utilizes Mimikatz to scrape credentials from [Link].
The worming modules use these credentials.

• Network Propogation
• WormDll and ShareDll – Worming module that uses Server Message Block (SMB) and Lightweight
Directory Access Protocol (LDAP) for lateral movement.
• TabDll – Leverages EternalRomance exploit (CVE-2017-0147) to spread via SMBv1.

TLP: WHITE, ID# 202001091000 8

Wizard Spider

• Wizard Spider
• Operators of TrickBot
• Carry out wire fraud
• Alleged to be affiliated with Russian
cybercrime rings
• Affiliated with Grim Spider, Lunar
Spider and Mummy Spider
• Some members were part of the group
that operated Dyre (Dyreza)
• Dyreza ceased operating in November 2015
after Russian law enforcement raided the
entertainment company believed to be
behind it
• No Dyreza activity for a little over a year
• October, 2016 - TrickBot identified in the
wild for the first time with noted similarities
to Dyreza; The operation was immediately Image courtesy of ThreatPost

successful and grew

• Secure Works identifies the same group as GOLD
BLACKBURN

TLP: WHITE, ID# 202001091000 9

TrickBot vs. Healthcare

• TrickBot – multi-stage attacks

• Malware can drop TrickBot
• Emotet
• TrickBot can drop other malware
• Ransomware Image courtesy of Dark Reading

• Dwell time means you shouldn’t assume

all attacks are single-step
• Ransomware, which ravages the healthcare
community, is often dropped
• A frequent combination:

Emotet drops
TrickBot drops
Ryuk

• Emotet: Initial compromise; Often delivered via spam/phishing or RDP exploitation; Delivers TrickBot
• TrickBot: Payload of Emotet; Used to conduct reconnaissance; Delivers Ryuk
• Ryuk executes it’s ransomware functionality
• TrickBot is also commonly used to deploy Mimikatz

TLP: WHITE, ID# 202001091000 10

TrickBot Defense/Infection Prevention

Image courtesy of Swiss Government Computer Emergency Response Team

TLP: WHITE, ID# 202001091000 11

TrickBot Defense/Infection Prevention

• Provide social engineering and phishing training to employees. [10.S.A], [1.M.D]

• Develop and maintain policy on suspicious e-mails for end users; Ensure suspicious e-mails are reported
[10.S.A], [10.M.A]
• Ensure emails originating from outside the organization are automatically marked before received [1.S.A],
[1.M.A]
• Apply applicable patches and updates immediately after testing; Develop and maintain patching program if
necessary. [7.S.A], [7.M.D]
• Implement Intrusion Detection System (IDS). [6.S.C], [6.M.C], [6.L.C]
• Implement spam filters at the email gateways. [1.S.A], [1.M.A]
• Block suspicious IP addresses at the firewall. [6.S.A], [6.M.A], [6.L.E]
• Implement whitelisting technology on appropriate assets to ensure that only authorized software is allowed
to execute. [2.S.A], [2.M.A], [2.L.E]
• Implement access control based on the principal of least privilege. [3.S.A], [3.M.A], [3.L.C]
• Implement and maintain anti-malware solution. [2.S.A], [2.M.A], [2.L.D]
• Conduct system hardening to ensure proper configurations. [7.S.A], [7.M.D]
• Disable the use of SMBv1 (and all other vulnerable services and protocols) and require at least SMBv2.
[7.S.A], [7.M.D]
• Yara Rules: [Link]

TLP: WHITE, ID# 202001091000 12

Indicators of Compromise

Hashes Hashes
4be3286c57630fb81e079c1aa3bf3203 dcd0e73b264427269c262d6dc070570ce76c56faaf5ccfcebc0ae79b4e32130d
fe2d9595a96046e441e43f72deac8cb0 06690d06c356d91673510e083b5d6e1d1ae2bef1b5b77e88b10388d7527fbde2
5a137c1dd4a55c06531bdbfeaf15c894 2c8c58a6ac929cd4e2b65c3982d57a255504764c4986d8a107272516787e5e44
8bf6ee81794c965f38484c0570718971 c19ed0c625bc88aa076bb8b2da5c52e215eeac42caf835371d010a4ce64e90c8
9d166a822439a47eb2dfad1aeb823638 4d36a7c86db693718ec71c33fc66f7444f541c5e193422b2a8dc38855558aa9c
6e714a44051f74ee2f8f570ea1a6b2b9 f1f15bc285256f1958da74419fd596952b3a166dd6174bd6835e2af76fac637e
44964db9c3ad8bea0d0d43340c4b0a3a be9d8f31e9dfaab5c2d22a1399e92d6ab41678d2b0c1c9fa2937c6d40bcc1158
45160aa23d640f8d1bcb263c179f84f9 10e93082a97d64e3215c9338142cfbd3bc95c533c5cb5aa7e0b7a7f4ec1b3ef7
e8fcae05cfb72b109db17fe69c292758 67a3dedd64c18a8b50f673638af4ab678d0974e952692a237a57eb5e7cc47cf7
c4acef1322b335d6b6f7a924d9af4ad6 473fdeb2b568751d762ffe64287ed5035c6e7ea8fa6e1aba22518f480827ab95
440d284b8c4b85f806b113507dc55004 c7a3123a5cff9c78e2fd926c6800a6c6431c8bca486ce11319a9a8f6fa83945c
6135d0ef033e82c6756cbc11416c9f6c f095c730442b5d72e0c234bc66c7d23e32e04d53018606b6cdc5e13c51451a6f
4be3286c57630fb81e079c1aa3bf3203 8f31c2f384cf7aecd7cef93f2c793233ce10104a09a3a438e5efb7e5a575277c
fe2d9595a96046e441e43f72deac8cb0 c8577ae514d60239b81a37396f85fb1ab661efae37b6b511e83ac239a2cbbd06
5a137c1dd4a55c06531bdbfeaf15c894 79b772476c8d5dc09bbbc615408a33cfc70eb0c49a268c25932c1f4fdcb940ff
8bf6ee81794c965f38484c0570718971 ae5d6b400ec4ca773d19d689ca3a3d328a1604242c0146d76110d79892529243
9d166a822439a47eb2dfad1aeb823638 f70b800fe6145186c7f4763536959eeb8efa804395cca25d1cf07f4d46a11795
1bc7517f20b7b3e9d67c776f5e1bf7df eca44266bbaeb69286b0edbbe2f9cea6ca0633077044990c7d660c03058fbaa5
68e762001faa31193081279ccfb01c19 2f38a85818f2e4a97995027349798e81f588634b280d11e217b1387ae1cb91a5
ef393133f39f20f7cc685d0cc59b0f5e 85528e675dd0ebbc4dca36d501268f5fc3b35c8cc6fe7648aa62530f032ec3a9
3f8fe650b06cb4b869fb7c4486ff0403 2d5b33a32e4df1169b09c06fe13f98e93cb108cc9163f322001a2db3b8a76519
998718d01e49f4ac30210092d17ef4dc 2d5deb963cf9cef62da59687e75f27ffd4d71db18272add942a93952a8920eb2
2bd1db2f8f10f32998c4a23a41286073 33a36a0172595eedf4a682ffe173662b3092bfe71fbdfdf4e5f4dcd365513564
2440448d00f0a2edfa321a2784c32775 357208a511d7d0277e467719036d801c91ae6b66a9988a5092db9b6af99603b8
5e6795e64b3ea622799acad4d51ffbab 45aeda204fa240e37b87d8c183343aa617ba7e8fd42bedbfc4ebcf7e3385e3be

TLP: WHITE, ID# 202001091000 13

Indicators of Compromise

IPs IPs Hashes

[Link] [Link] 4859cb4bc26d257e2720dacb777895b2541f72a8848dfa554665e1b04e1a9f7a
[Link] [Link] 566e1ee0d6ab08685f722c041c635894d0169f30accf5325d5f0413717c1beab
[Link] [Link] 600b00554ff77da736f199efa7338cabc92307d32dc527f096e00ec718039778
[Link] [Link] 767fab90d7e27102d3208766baa0f5956073c36fc31b93b854c2afbdc25b6c15
[Link] [Link] ad1a5597477817161619ea4b0dbdf92186260947f808ced5e18f60990b229795
[Link] [Link] c3c4acdb0f7164a8c3095df6fa5932d5d8617254856576372b86238c092dac80
[Link] [Link] ef87f15fb3383455cbd86bb5c1c792535d06c334499025ab8c5091c33a722f1c
[Link] [Link] fdf5bae149683eff434f734295693723dd83b3769b63e5317e137c4ac4aff6ae
[Link] [Link]
[Link] [Link]
[Link] [Link]
[Link] [Link]
[Link] [Link]
[Link] [Link]
[Link] [Link]
[Link] [Link]
NOTE: There exists a very large quantity of IOCs associated with
[Link] TrickBot. This presentation contains only a small sample. Furthermore,
[Link] due to the aggressive and constant development of the tool, new IOCs
[Link] are frequently released. Therefore, we strongly advice any organization
[Link] that wishes to adequately protect itself from TrickBot continually maintain
[Link] situational awareness regarding the latest releases.
[Link]
[Link]
[Link]
[Link]

TLP: WHITE, ID# 202001091000 14

Reference Materials
References

• Deep Analysis of the Online Banking Botnet TrickBot

• [Link]
• Quick Test Drive of TrickBot (It now has a Monero module)
• [Link]
• Quick Analysis of a TrickBot Sample with NSA's Ghidra SRE Framework
• [Link]
• TrickBot’s bag of tricks
• [Link]
• Let's Learn: TrickBot Socks5 Backconnect Module In Detail
• [Link]
• Let's Learn: Introducing New TrickBot LDAP "DomainGrabber" Module
• [Link]
• Let's Learn: TrickBot Implements Network Collector Module Leveraging CMD, WMI & LDAP
• [Link]
• How Does the TrickBot Malware Work?
• [Link]
• Introducing TrickBot, Dyreza’s successor
• [Link]
• TrickBot comes up with new tricks: attacking Outlook and browsing data
• [Link]
TLP: WHITE, ID# 202001091000 16
outlook-and-browsing-data/
References

• TrickBot comes up with new tricks: attacking Outlook and browsing data
• [Link]
outlook-and-browsing-data/
• What’s new in TrickBot? Deobfuscating elements
• [Link]
deobfuscating-elements/
• The 2019 Resurgence of Smokeloader
• [Link]
• TrickBot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
• [Link]
credential-grabbing-capabilities-to-its-repertoire/
• TrickBot Shows Off New Trick: Password Grabber Module
• [Link]
grabber-module
• TrickBot spread by Necurs botnet, adds Nordic countries to its targets
• [Link]
its-targets
• Little TrickBot Growing Up: New Campaign
• [Link]

TLP: WHITE, ID# 202001091000 17

References

• TrickBot Expands Global Targets Beyond Banks and Payment Processors to CRMs
• [Link]
banks-and-payment-processors-to-crms
• GitHub: TrickBot config files
• [Link]
• Inquest: Memory Analysis of TrickBot
• [Link]
• Vipre: TrickBot’s Tricks
• [Link]
• Reverse engineering malware: TrickBot (part 1 - packer)
• [Link]
• Reverse engineering malware: TrickBot (part 2 - loader)
• [Link]
• Reverse engineering malware: TrickBot (part 3 - core)
• [Link]
• TrickBot Takes to Latin America, Continues to Expand Its Global Reach
• [Link]

TLP: WHITE, ID# 202001091000 18

References

• TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets

• [Link]
• Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations
• [Link]
• New Version of “TrickBot” Adds Worm Propagation Module
• [Link]
• TrickBot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model
• [Link]
• Deep Analysis of TrickBot New Module pwgrab
• [Link]
• Severe Ransomware Attacks Against Swiss SMEs
• [Link]
• TrickBot - An analysis of data collected from the botnet
• [Link]
• TrickBot Banking Trojan - [Link]
• [Link]
• The TrickBot and MikroTik connection
• [Link]

TLP: WHITE, ID# 202001091000 19

References

• TrickBot Modifications Target U.S. Mobile Users

• [Link]
• INNOVACIÓN EN PROCESOS - ORGANIZATIVOS INFORME DE MALWARE -Evolución de TrickBot
(Report in Spanish, but MD5 hashes on page 4)
• [Link]
• Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez
• [Link]
directory-for-fun-and-profit-vitali-kremez
• Sneaky Monkey - TrickBot – Analysis
• [Link]
• Sneaky Monkey - TrickBot – Analysis Part II
• [Link]
• Evolving TrickBot Adds Detection Evasion and Screen-Locking Features
• [Link]
adds-detection-evasion-and-screen-locking-features
• Tale of the Two Payloads – TrickBot and Nitol
• [Link]
and-nitol/

TLP: WHITE, ID# 202001091000 20

References

• Random RE: TrickBot & UACME

• [Link]
• Targeted TrickBot activity drops 'PowerBrace' backdoor
• [Link]
• Palo Alto Unit 42 - Wireshark Tutorial: Examining TrickBot Infections
• [Link]
• Netscout - TrickBot Banker Insights
• [Link]
• TrickBot banking trojan using EFLAGS as an anti-hook technique
• [Link]
• F5 Networks: The TrickBot Evolution
• [Link]
• Detricking TrickBot Loader
• [Link]
• “Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
• [Link]
web

TLP: WHITE, ID# 202001091000 21

References
• Latest TrickBot Variant has New Tricks Up Its Sleeve
• [Link]
• Triple Threat: Emotet Deploys TrickBot to Steal Data & Spread Ryuk
• [Link]
ransomware
• TrickBot: We Missed you, Dyre
• [Link]
• A Nasty Trick: From Credential Theft Malware to Business Disruption
• [Link]
[Link]
• TrickBot Banking Trojan Adapts with New Module
• [Link]
• TrickBot Adds ‘Cookie Grabber’ Information Stealing Module
• [Link]
• How Does the TrickBot Malware Work?
• [Link]
• TrickBot Malware Goes After Remote Desktop Credentials
• [Link]

TLP: WHITE, ID# 202001091000 22

References
• TrickBot, today's top trojan, adds feature to aid SIM swapping attacks
• [Link]
• TrickBot or Treat – Knocking on the Door and Trying to Enter
• [Link]
• Stealthy TrickBot Malware Has Compromised 250 Million Email Accounts And Is Still Going Strong
• [Link]
250-million-email-accounts-and-is-still-going-strong/#6d1ea4b34884
• MS-ISAC Releases Security Primer on TrickBot Malware
• [Link]
TrickBot-Malware
• [Link]
• [Link]
• Security Primer – TrickBot
• [Link]
• TrickBot Trojan Getting Ready to Steal OpenSSH and OpenVPN Keys
• [Link]
openvpn-keys/
• Deep Analysis of the Online Banking Botnet TrickBot
• [Link]

TLP: WHITE, ID# 202001091000 23

References
• 2018-02-01 - QUICK TEST DRIVE OF TrickBot (IT NOW HAS A MONERO MODULE)
• [Link]
• Quick Analysis of a TrickBot Sample with NSA's Ghidra SRE Framework
• [Link]
• TrickBot’s bag of tricks
• [Link]
• Let's Learn: TrickBot Socks5 Backconnect Module In Detail
• [Link]
• Let's Learn: Introducing New TrickBot LDAP "DomainGrabber" Module
• [Link]
• Let's Learn: TrickBot Implements Network Collector Module Leveraging CMD, WMI & LDAP
• [Link]
• TrickBot spread by Necurs botnet, adds Nordic countries to its targets
• [Link]
targets
• Little TrickBot Growing Up: New Campaign
• [Link]

TLP: WHITE, ID# 202001091000 24

References
• TrickBot Expands Global Targets Beyond Banks and Payment Processors to CRMs
• [Link]
banks-and-payment-processors-to-crms
• GitHub: malware_configs
• [Link]
• TrickBot — a concise treatise
• [Link]
• TrickBot banking trojan using EFLAGS as an anti-hook technique
• [Link]
• What Is an Open Redirection Vulnerability and How to Prevent it?
• [Link]

TLP: WHITE, ID# 202001091000 25

? Questions
Questions

Upcoming Briefs
• Botnet Threats to the healthcare industry
• Zeppelin Ransomware

Product Evaluations
Recipients of this and other Healthcare Sector Cybersecurity Coordination Center (HC3) Threat Intelligence products
are highly encouraged to provide feedback to HC3@[Link].

Requests for Information

Need information on a specific cybersecurity topic? Send your request for information (RFI) to HC3@[Link] or call
us Monday-Friday, between 9am-5pm (EST), at (202) 691-2110.

TLP: WHITE, ID# 202001091000 27

About Us

HC3 works with private and public sector

partners to improve cybersecurity throughout
the Healthcare and Public Health (HPH) Sector

Products

Sector & Victim Notifications White Papers Threat Briefings & Webinar
Directed communications to victims or Document that provides in-depth information Briefing document and presentation that
potential victims of compromises, vulnerable on a cybersecurity topic to increase provides actionable information on health
equipment or PII/PHI theft and general comprehensive situational awareness and sector cybersecurity threats and mitigations.
notifications to the HPH about currently provide risk recommendations to a wide Analysts present current cybersecurity topics,
impacting threats via the HHS OIG audience. engage in discussions with participants on
current threats, and highlight best practices
and mitigation tactics.

Need information on a specific cybersecurity topic or want to join our listserv? Send your request for
information (RFI) to HC3@[Link] or call us Monday-Friday, between 9am-5pm (EST), at (202) 691-2110.

TLP: WHITE, ID# 202001091000 28

 Contact

Health Sector Cybersecurity (202) 691-2110 HC3@[Link]

Coordination Center (HC3)