TrickBot, initially developed as banking malware is now constantly evolving and aggregates powerful techniques to attack variety of organizations. TrickBot is often used with other malware in multistage attacks.
Banking Trojan TrickBot was developed in 2016, believed to be inspired by Dyre bot. It is distributed via malspam campaign containing malicious links and macroenabled Word and Excel documents. If the attachment is opened, it will prompt the user to enable macros, which executes a VBScript to run a PowerShell script to download the malware.
Some of the TrickBot campaign spreads malware via SMB protocol across the network.
TrickBot’s main goal is to steal banking credentials and exfiltrate it to its command and control (C2) server. It can steal saved online account password in browsers, infected host’s login credentials, OpenSSH keys, Active Directory Services databases, cookies and web history.
TrickBot’s modular nature provide flexibility to customization features and can drop additional malware like coin miner, Remote access tools, VNC or any ransomware on the infected system.
Figure 1: ‘Black Lives Matter’ TrickBot Malspam campaign