TrickBot is a Trojan spyware program that has mainly been used for targeting banking users in the U.S., Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre or Dyreza.  
After 2019 TrickBot became a flexible, universal, module-based crimeware solution and has shifted focus to enterprise environments over the years to incorporate many features from network profiling, mass data collection, and incorporation of lateral traversal exploits.
In an effort to take down Trickbot, different vendors worked together to take down 94% of core servers crucial for Trickbot operations in October 2020 and disrupt the botnet that spreads it. However, one year later, CheckPoint discovered thousands of infections, including an information stealer module targeting SSH keys and credentials.(Citation: Check Point)
Associated Software Descriptions
|Enterprise||VT0021||.003||Credentials from Password Stores: Credentials from Web Browsers|
|Enterprise||VT0027||.001||Encrypted Channel: Symmetric Cryptography|
|Enterprise||VT0026||Exploitation of Remote Services|
|Enterprise||VT0034||Remote System Discovery|
|Enterprise||VT0016||.002||Subvert Trust Controls: Code Signing|
|Enterprise||VT0017||.002||Unsecured Credentials: Credentials in Registry|
|.001||Unsecured Credentials: Credentials In Files|
|.004||Unsecured Credentials: Private Keys|
- Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
- Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
- Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.
- TrendMicro, Trickbot Adds Credential-Grabbing Capabilities
- Unit42(PaloAlto Networks), Trickbot Updates Password Grabber Module
- BleepingComputer, Emotet-TrickBot Malware Duo Is Back Infecting Windows Machines
- TrickBot Takedown Disrupts Major Crimeware Apparatus
- Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
- Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
- Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021.
- Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
Created: 06 May 2021
Last Modified: 17 February 2022