TrickBot malware has continually been increasing in activity over the past year, causing serious damage to organizations. Back in July, a new feature of TrickBot was introduced, called TrickBooster. Because of this feature, TrickBot has been able to spread itself more quickly and easily to other devices.
TrickBot is a type of malware that regularly appears as part of large-scale malware campaigns. While the primary purpose of the malware is to steal user credentials for financial institutions, it can be adapted for a variety of different purposes. The three defining characteristics of the TrickBot malware are that it is a man-in-the-browser banking trojan, a modular malware variant, and a network worm.
Man-in-the-Browser Banking Trojan
While TrickBot is an extremely versatile piece of malware, its primary purpose is to steal financial information. It accomplishes this goal by using man-in-the-browser attacks. Man-in-the-browser attacks have access to a user's web browser and everything that they do on it. This can be used for a variety of different purposes, but TrickBot focuses on stealing financial data. It accomplishes this by monitoring for bank-related URLS like usbank.com. If a user visits the webpage for US Bank, TrickBot uses its keylogging functionality to collect the data that the user types into the webpage. Since the very first step that most users perform on a banking webpage is to log into their account, this quickly provides the malware with the user's banking credentials, which are forwarded on to its operator for use or sell on the black market.
TrickBot is modular malware, meaning that the actual malware is designed more like a general platform that malicious extensions can be plugged into. This allows the malware to be easily changed and reconfigured to meet the specific needs of its users. For example, the primary purpose of the TrickBot malware is to steal banking information using man-in-the-browser attacks. However, some variants of TrickBot have been known to target cryptocurrency wallets. By stealing the private key used to secure a user's cryptocurrency wallet, TrickBot allows its operator to steal the Bitcoin, Ether, or other cryptocurrency that it contains. The modularity of TrickBot provides a couple of different advantages to its operators. First, it is easy to extend the malware to perform new malicious actions, as demonstrated by its ability to target cryptocurrency. Second, it can make identification of a TrickBot infection more difficult since the inclusion or removal of different modules can change the malware's signature.
While TrickBot is primarily spread through the browser or dropped by other malware, it is not limited to these infection mechanisms. TrickBot is also a network worm capable of spreading itself by exploiting unpatched vulnerabilities in computers.
In 2017, WannaCry made a name for itself by leveraging EternalBlue, an exploit against the SMB protocol that was developed by the NSA and leaked by the ShadowBrokers. EternalBlue’s success was made possible by the fact that SMB is commonly used by Windows machines, but many users did not apply the available patch.
That same failure to apply patches against the Eternal family of exploits is what makes TrickBot capable of spreading itself today. TrickBot can exploit the same EternalBlue vulnerability to install and execute itself on vulnerable computers, making it a network worm.
The Current State of TrickBot
As a modular malware, TrickBot is continually evolving. In one campaign, the focus may be on stealing a user's credentials for online accounts of financial institutions. In another campaign, TrickBot may be intended to act primarily as a dropper for other types of malware. For example, TrickBot can include a PowerShell backdoor for the Empire malware. From campaign to campaign, the functionality and look of the Trickbot malware can differ dramatically.
As referenced in our Quarterly Threat Report, on July 12, 2019, a new feature was introduced to TrickBot, called TrickBooster. TrickBooster allows the malware to use an infected machine as a spam email bot using email lists provided by the hacker. This functionality enables TrickBot to spread itself more quickly and easily to other devices. As a result of TrickBot’s new capabilities, malware activity increased 144% in July 2019.
How Does It Affect an Organization?
Since TrickBot is a modular type of malware, it can affect different organizations in different ways depending on the details of that specific malware campaign. When used in isolation, TrickBot focuses on collecting and exfiltrating user credentials for financial institutions, which can be used to steal money from an individual or a business.
However, TrickBot has also been found bundled with different types of malware. One common partnership uses TrickBot in combination with Emotet. Emotet began as another banking trojan but has evolved to include the ability to send spam emails and to act as a downloader for other types of malware. Since Emotet is often spread via phishing emails, which are easy to perform but very effective, the Emotet-TrickBot partnership typically uses Emotet as an initial infection vector to drop TrickBot. This gives the malware operators the ease of infection provided by Emotet and the versatility of TrickBot.
However, the use of multi-stage attacks is not limited to just Emotet and TrickBot. In September 2019, a “triple threat” appeared that combined Emotet, TrickBot, and the Ryuk ransomware. This combination maximizes the attacker’s ability to monetize their attack since they can both extract value from the user’s stolen financial credentials and hold the data on the computer for ransom.
How to Protect Yourself from TrickBot
The TrickBot malware is often spread by spam mail or dropped by other malware spread via email. Employee cybersecurity awareness training to help with the identification of phishing emails and deploying a filtering solution at the email gateway to detect spam emails can help to reduce an organization's exposure to the TrickBot threat. Computers within the organization should also have up-to-date antivirus software deployed and operating to help with the identification and removal of TrickBot infections.