External Threat Management Labs

TrickBot: Get to Know the Malware That Refuses to Be Killed

Versatile, easy to use, and widely available, TrickBot has become a favorite tool of threat actors of all skill levels and a formidable threat that security teams in all organizations should be familiar with. 

Over the last five years, TrickBot has earned a reputation as a remarkably adaptive modular malware, with its operators regularly updating its software to be more effective and potent against a wide range of targets worldwide. Over its history, TrickBot has largely been propagated through phishing and MalSpam attacks, tactics that remain prominent in TrickBot operations today. 

A Low Bar for Entry: TrickBot-as-a-Service

TrickBot operators have spent a great deal of energy evolving their infrastructure, using an extensive network of core and plugin servers for hosting the malware and a Command and Control (C2). Due to the malware's modular nature, TrickBot operatives have now taken to selling the crimeware as a suite to a large and eager client base. 

The malware has been highly versatile as an Emotet downloader and a Ryuk and Conti ransomware dropper and has been linked to cyber threat actors TA505 and Wizard Spider.

All Lures (Could) Lead to TrickBot 

Anxiety over COVID-19 was incredibly fruitful for TrickBot in 2020, with TrickBot linked to more COVID-19 phishing emails than any other malware. 

However, TrickBot operators stay current with their lures. It's been linked to lures threatening job termination. In March 2021, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning of a new TrickBot traffic infringement-themed spear-phishing campaign. Recently, RiskIQ has observed live URLs actively hosting a "Traffic Violation" themed phishing scheme used to download TrickBot malware. 

Menlo Security researchers initially reported the phishing campaign in January 2021, which was exclusively targeting the legal and insurance sectors in the United States and Canada. While investigating the domains reported as compromised, RiskIQ was able to verify that at least one of the URLs identified in the campaign is, as of the date of publication, still actively hosting the phony traffic violation website and malicious zip download.

TrickBot lure

TrickBot Dies Hard

First observed in 2016 as a banking trojan, TrickBot was operating on a widespread botnet believed to have evolved from the Dyre botnet, likely out of Russia. These early operations focused primarily on banking credential theft, targeting banking sites across North America and Europe. 

In the fall of 2020, Microsoft and a handful of U.S. government agencies and private security companies teamed up to tackle the TrickBot botnet, taking down an impressive 120 of the 128 servers identified as TrickBot infrastructure across the globe, in addition to legal court orders and other technical efforts that stymied operations. 

However, the takedowns only served as a temporary solution, and TrickBot operators almost immediately adjusted tactics and began hosting their malware in other criminal servers.

Lateral Movement 

TrickBot malware can propagate through affected networks by exploiting known Windows Server Message Block (SMB) and Remote Desktop Protocol (RDP) vulnerabilities. The use of these systems exploded in the wake of COVID-19, when the workforce became decentralized. 

2020 saw a steady clip of vulnerabilities of remote access and perimeter devices announced, and the trend continues in 2021. Organizations that lack situational awareness of this rapidly evolving vulnerability and threat landscape are especially vulnerable to attacks involving TrickBot. 

TrickBot is Likely Here to Stay

In the wake of the Emotet botnet takeover by law enforcement, TrickBot remains at the top of the world's most-wanted malware list. Despite incredible technical efforts that went into taking down the TrickBot botnet in October 2020, the resilient operators behind the malware appear to have bounced back in 2021 with new modules, tools, and phishing campaigns. 

This resurgence should remind the cyber world that the criminal powerhouse that is TrickBot will take incredible industry collaboration to be stopped for good.

Get to Know TrickBot

There are now over 100 variations of TrickBot, including the recently identified "Trickboot" module that can, frighteningly, modify the UEFI firmware of a compromised device. The transition into crimeware-as-a-service has seen TrickBot being used by heavy-hitting threat actors such as TA505 and Wizard Spider, being employed by Emotet for lateral movement, and used in countless ransomware campaigns. 

Visit our Threat Intelligence Portal for our complete analysis of TrickBot, and try RiskIQ's Illuminate® Internet Intelligence Platform to understand how next-gen security intelligence can defend your organization's unique attack surface from threats like TrickBot. 

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor