Skip to content

S0266 TrickBot

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of “big game hunting” ransomware campaigns.7624

Item Value
ID S0266
Associated Names Totbrick, TSPY_TRICKLOAD
Type MALWARE
Version 2.0
Created 17 October 2018
Last Modified 23 February 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Totbrick 1 5
TSPY_TRICKLOAD 1

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account TrickBot collects the users of the system.79
enterprise T1087.003 Email Account TrickBot collects email addresses from Outlook.9
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.78
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder TrickBot establishes persistence in the Startup folder.14
enterprise T1185 Browser Session Hijacking TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.6259
enterprise T1110 Brute Force -
enterprise T1110.004 Credential Stuffing TrickBot uses brute-force attack against RDP with rdpscanDll module.1415
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers.
12
enterprise T1059.003 Windows Command Shell TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.3
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.9
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.9812
enterprise T1555.005 Password Managers TrickBot can steal passwords from the KeePass open source password manager.8
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding TrickBot can Base64-encode C2 commands.8
enterprise T1005 Data from Local System TrickBot collects local files and information from the victim’s local machine.7
enterprise T1140 Deobfuscate/Decode Files or Information TrickBot decodes the configuration data and modules.6816
enterprise T1482 Domain Trust Discovery TrickBot can gather information about domain trusts by utilizing Nltest.178
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.6Newer versions of TrickBot have been known to use bcrypt to encrypt and digitally sign responses to their C2 server. 11
enterprise T1041 Exfiltration Over C2 Channel TrickBot can send information about the compromised host and upload data to a hardcoded C2 server.812
enterprise T1210 Exploitation of Remote Services TrickBot utilizes EternalBlue and EternalRomance exploits for lateral movement in the modules wormwinDll, wormDll, mwormDll, nwormDll, tabDll.14
enterprise T1008 Fallback Channels TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.8
enterprise T1083 File and Directory Discovery TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.79
enterprise T1495 Firmware Corruption TrickBot module “Trickboot” can write or erase the UEFI/BIOS firmware of a compromised device.10
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools TrickBot can disable Windows Defender.9
enterprise T1105 Ingress Tool Transfer TrickBot downloads several additional files and saves them to the victim’s machine.112
enterprise T1056 Input Capture -
enterprise T1056.004 Credential API Hooking TrickBot has the ability to capture RDP credentials by capturing the CredEnumerateA API3
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model TrickBot used COM to setup scheduled task for persistence.14
enterprise T1036 Masquerading The TrickBot downloader has used an icon to appear as a Microsoft Word document.8
enterprise T1112 Modify Registry TrickBot can modify registry entries.9
enterprise T1106 Native API TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.7 TrickBot has also used Nt* API functions to perform Process Injection.16
enterprise T1135 Network Share Discovery TrickBot module shareDll/mshareDll discovers network shares via the WNetOpenEnumA API.1415
enterprise T1571 Non-Standard Port Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.761 Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. 12
enterprise T1027 Obfuscated Files or Information TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.7
enterprise T1027.002 Software Packing TrickBot leverages a custom packer to obfuscate its functionality.7
enterprise T1069 Permission Groups Discovery TrickBot can identify the groups the user on a compromised host belongs to.8
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware3
enterprise T1566.002 Spearphishing Link TrickBot has been delivered via malicious links in phishing e-mails.8
enterprise T1542 Pre-OS Boot -
enterprise T1542.003 Bootkit TrickBot can implant malicious code into a compromised device’s firmware.10
enterprise T1057 Process Discovery TrickBot uses module networkDll for process list discovery.1415
enterprise T1055 Process Injection TrickBot has used Nt* Native API functions to inject code into legitimate processes such as wermgr.exe.16
enterprise T1055.012 Process Hollowing TrickBot injects into the svchost.exe process.7158
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy TrickBot has been known to reach a command and control server via one of nine proxy IP addresses. 11 12
enterprise T1219 Remote Access Software TrickBot uses vncDll module to remote control the victim machine.1415
enterprise T1021 Remote Services -
enterprise T1021.005 VNC TrickBot has used a VNC module to monitor the victim and collect information to pivot to valuable systems on the network 1312
enterprise T1018 Remote System Discovery TrickBot can enumerate computers and network devices.8
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task TrickBot creates a scheduled task on the system that provides persistence.715
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing TrickBot has come with a signed downloader component.8
enterprise T1082 System Information Discovery TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.76810
enterprise T1016 System Network Configuration Discovery TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.798
enterprise T1033 System Owner/User Discovery TrickBot can identify the user and groups the user belongs to on a compromised host.8
enterprise T1007 System Service Discovery TrickBot collects a list of install programs and services on the system’s machine.7
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.98 Additionally, it searches for the “.vnc.lnk” affix to steal VNC credentials.3
enterprise T1552.002 Credentials in Registry TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key 3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File TrickBot has attempted to get users to launch malicious documents to deliver its payload. 38
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion TrickBot has used printf and file I/O loops to delay process execution as part of API hammering.16

Groups That Use This Software

ID Name References
G0102 Wizard Spider 1819204
G0092 TA505 2122

References

  1. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018. 

  2. Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018. 

  3. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019. 

  4. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  5. Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018. 

  6. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018. 

  7. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. 

  8. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. 

  9. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018. 

  10. Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021. 

  11. Liviu Arsene, Radu Tudorica. (2020, November 23). TrickBot is Dead. Long Live TrickBot!. Retrieved September 28, 2021. 

  12. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021. 

  13. Ionut Illascu. (2021, July 14). Trickbot updates its VNC module for high-value targets. Retrieved September 10, 2021. 

  14. Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021. 

  15. Tudorica, R., Maximciuc, A., Vatamanu, C. (2020, March 18). New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong. Retrieved March 15, 2021. 

  16. Joe Security. (2020, July 13). TrickBot’s new API-Hammering explained. Retrieved September 30, 2021. 

  17. Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot’s New Reconnaissance Plugin. Retrieved February 14, 2019. 

  18. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. 

  19. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  20. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. 

  21. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. 

  22. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.