Trickbot: the most widespread trojan in COVID 19 campaigns

(To Alessandro Rugolo)

Trickbot malware belongs to the Trojan family spyware, mainly employed against banking sector objectives.
Its first appearance dates back to 2016 and its targets have been identified in several states, including the United States, Canada, Great Britain, Germany, Australia, Autria, Ireland and Switzerland.

The malware, as far as development is concerned, was written in C ++, one of the languages ​​capable of directly accessing the CPU, registers and memory.

Trickbot is a Trojan that only works on Windows platforms. Once the malware infects a PC, its task is to steal credentials and banking information but it can also be used to export files or data in general.

The malware, in the first place, has the ability to load the code inside the system to be infected and create a replica of itself inside the% APPDATA% folder, deleting the original file.
It is therefore capable of collecting sensitive information such as personal data and banking credentials (using the information collected by browsers) and then exfiltrating them but also email addresses.

Through its C2 chain it is capable of updating itself to new versions and exfiltrating data. The channel used for its C2 chain is encrypted with symmetric encryption (AES CBC 256 bit).

It is capable of redirecting the user to fake sites in order to collect his credentials.

Trickbot has been employed by some groups, most notably TA505 and Wizard Spider.

There are various versions of the malware, for 32 and 64 bit systems.

The vector of infection is generally a Word file with active macros, received via email during a campaign spearphishing.
It is possible to identify the presence of Trickbot on our system in manual mode simply by looking at the% APPDATA% folder and verifying the presence of the two typical Trickbot files:
- client_id, which contains the identification data of an infected user;
- group_tag, which contains the identification data of the infection campaign.

In the same folder is the Trickbot executable file originally copied from the original file.

Instead, it seems that at the moment there is no way to identify its presence through automatic traffic analysis systems, as the traffic created towards the C2 system is encrypted (SSL).
Instead, it is possible to identify it through memory analysis, but it must be taken into account that the different versions leave different traces.

For the removal of Trickbot you can refer to some software as "malwarebytes" or you have to proceed manually, depending on the version of the operating system, nothing impossible, but not easy.

Trickbot is a malware spread through phishing or spearphishing campaigns so it is very important to pay close attention to the emails received and to adopt the healthy principle of "do not open a suspicious email or file", even if not always easy to apply.

Trickbot, like any malware, exploits system security holes.
To protect yourself, the correct configuration of the systems in use is sometimes sufficient, with particular reference to the correct use of the administration accounts.

We also recommend the use of software and systems covered by the support of the parent company, in particular with regard to the Operating Systems that are the basis of security.

The use of "Endpoint Detection and Response" can help, as long as staff are able to handle them.

To learn more: