TrickBot

TrickBot is a Trojan spyware program that has mainly been used for targeting banking users in the U.S., Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre or Dyreza.[1] [2] [3]

After 2019 TrickBot became a flexible, universal, module-based crimeware solution and has shifted focus to enterprise environments over the years to incorporate many features from network profiling, mass data collection, and incorporation of lateral traversal exploits.

TrickBot uses Private Keys and credentials' grabbing module for OpenSSH and OpenVPN as well as for PuTTY for Windows - to enable Lateral Movement through SSH Remote Services.[4][5][6]

In an effort to take down Trickbot, different vendors worked together to take down 94% of core servers crucial for Trickbot operations in October 2020 and disrupt the botnet that spreads it.[7] However, one year later, CheckPoint discovered thousands of infections, including an information stealer module targeting SSH keys and credentials.(Citation: Check Point)

Associated Software Descriptions

Name Description
Totbrick

[8] [9]

TSPY_TRICKLOAD

[8]

Techniques Used

Domain ID Name Use
Enterprise VT0021 .003 Credentials from Password Stores: Credentials from Web Browsers

TrickBot can obtain credentials stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge.[10][11]

Enterprise VT0027 .001 Encrypted Channel: Symmetric Cryptography

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.[2]

Enterprise VT0026 Exploitation of Remote Services

TrickBot utilizes EternalBlue and EternalRomance exploits for Lateral Movement in the modules wormwinDll, wormDll, mwormDll, nwormDll, tabDll.[12]

Enterprise VT0015 Masquerading

The TrickBot downloader has used an icon to appear as a Microsoft Word document.[11]

Enterprise VT0034 Remote System Discovery

TrickBot enumerates computers and network devices for Lateral Movement.[11]

Enterprise VT0016 .002 Subvert Trust Controls: Code Signing

TrickBot is delivered with a signed downloader component.[11]

Enterprise VT0017 .002 Unsecured Credentials: Credentials in Registry

TrickBot retrieves PuTTY credentials and keys by querying the Software\SimonTatham\Putty\Sessions registry key [13]

.001 Unsecured Credentials: Credentials In Files

TrickBot can obtain credentials stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN, WinSCP and VNC.[10][11][13]

.004 Unsecured Credentials: Private Keys

TrickBot has a Private Keys grabbing module for OpenSSH and PuTTY.

References

Attachments

ID
VS0011
Associated Software
Totbrick
TSPY_TRICKLOAD
Type
MALWARE
Platforms
Windows
Version
1.4

Created: 06 May 2021

Last Modified: 17 February 2022