| ID | X0025 |
| Type | Spyware, Trojan (banking trojan) |
| Aliases | None |
| Platforms | Windows |
| Year | 2016 |
| Associated ATT&CK Software | TrickBot |
TrickBot is a trojan spyware program that has mainly been used for targeting banking sites. TrickBot is written in the C++ programming language.
| Name | Use |
|---|---|
| Execution::Shared Modules (T1129) | TrickBot parses PE headers. [7] |
See ATT&CK: TrickBot - Techniques Used.
| Name | Use |
|---|---|
| Discovery::File and Directory Discovery (E1083) | The malware collects machine information and local files with specified file extensions. [1] |
| Anti-Static Analysis::Software Packing (F0001) | The malware has a custom packer to obfuscate itself. [1] |
| Defense Evasion::Process Injection (E1055) | The malware injects itself into svchost.exe. [2] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | The malware has an auto-start service that allows it to run whenever the machine boots. [3] |
| Defense Evasion::Disable or Evade Security Tool (F0004) | The malware terminates the following anti-malware services: Window Defender, MBamService (Malwarebytes), SAVService (Sophos AV). [3] |
| Collection::Archive Collected Data::Encryption (E1560.m02) | The malware uses a custom crypter leveraging Microsoft's CryptoAPI to encrypt C2 traffic. C2 update responses seem to have been digitally signed using bcrypt. [4] |
| Defense Evasion::Bootkit (F0013) | The malware can implement malicious code into firmware, allowing read, write, and/or erasure of the UEFI/BIOS firmware. [5] |
| Lateral Movement::Supply Chain Compromise (E1195) | TrickBot comes with a signed downloader component. [5] |
| Discovery::System Information Discovery (E1082) | The malware collects information about the computer, resources, services, installed programs, firmware, and operating system versions. [1] |
| Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | TrickBot encodes data using XOR. [7] |
| Execution::Command and Scripting Interpreter (E1059) | TrickBot accepts command line arguments. [7] |
| Name | Use |
|---|---|
| Execution::Remote Commands (B0011) | The malware receives various commands from the C2 server. [2] |
| Cryptography::Encrypt Data::AES (C0027.001) | The malware uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files. [1] |
| Anti-Behavioral Analysis::Dynamic Analysis Evasion (B0003.012) | The malware uses numerous printf loops to delay the execution process and overload the sandbox with junk data (API Hammering). [6] |
| Impact::Spamming (B0039) | In July 2019, TrickBot was observed infecting computers to steal email passwords and address books to spread malicious emails. [8] |
| Data::Encode Data::XOR (C0026.002) | TrickBot encodes data using XOR. [7] |
| Discovery::Code Discovery::Inspect Section Memory Permissions (B0046.002) | TrickBot inspects section memory permissions. [7] |
| Memory::Allocate Memory (C0007) | TrickBot allocates RWX memory. [7] |
| Process::Create Process (C0017) | TrickBot creates a process on Windows. [7] |
| Process::Create Process::Create Suspended Process (C0017.003) | TrickBot creates a suspended process. [7] |
| Process::Terminate Process (C0018) | TrickBot terminates processes. [7] |
SHA256 Hashes
- a162bb9219a09b302b90bc6f908e117e3fb2c722560336d378fd76a8f22f78f8 MD5 Hashes
- 28661ea73413822c3b5b7de1bef0b246
- 218613f0f1d2780f08e754be9e6f8c64
- 135e4fa98e2ba7086133690dbd631785
- 719578c91b4985d1f955f6adb688314f
- 132c4338cdc46a0a286abf574d68e2e0
- e8e7b0a8f274cad7bdaedd5a91b5164d Yara Rules
- rule MALW_trickbot_bankBot : Trojan { meta: author = "Marc Salinas @Bondey_m" description = "Detects Trickbot Banking Trojan" strings: $str_trick_01 = "moduleconfig" $str_trick_02 = "Start" $str_trick_03 = "Control" $str_trick_04 = "FreeBuffer" $str_trick_05 = "Release" condition: all of ($str_trick_*) }
- rule MALW_systeminfo_trickbot_module : Trojan { meta: author = "Marc Salinas @Bondey_m" description = "Detects systeminfo module from Trickbot Trojan" strings: $str_systeminf_01 = "" $str_systeminf_02 = "" $str_systeminf_03 = "" $str_systeminf_04 = "GetSystemInfo.pdb" $str_systeminf_05 = "" $str_systeminf_06 = "" condition: all of ($str_ systeminf_*) }
- rule MALW_dllinject_trickbot_module : Trojan { meta: author = "Marc Salinas @Bondey_m" description = " Detects dllinject module from Trickbot Trojan" strings: $str_dllinj_01 = "user_pref(" $str_dllinj_02 = "" $str_dllinj_03 = "" $str_dllinj_04 = "" condition: all of ($str_ dllinj_*) }
- rule MALW_mailsercher_trickbot_module : Trojan { meta: author = "Marc Salinas @Bondey_m" description = " Detects mailsearcher module from Trickbot Trojan" strings: $str_mails_01 = "mailsearcher" $str_mails_02 = "handler" $str_mails_03 = "conf" $str_mails_04 = "ctl" $str_mails_05 = "SetConf" $str_mails_06 = "file" $str_mails_07 = "needinfo" $str_mails_08 = "mailconf" condition: all of ($str_mails_*) }
[1] https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf
[2] https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
[3] https://www.trendmicro.com/en_us/research/18/k/trickbot-shows-off-new-trick-password-grabber-module.html
[4] https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/
[5] https://eclypsium.com/wp-content/uploads/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf
[6] https://www.joesecurity.org/blog/498839998833561473
[7] capa v4.0, analyzed at MITRE on 10/12/2022
[8] https://techcrunch.com/2019/07/12/trickbot-spam-millions-emails/