June 2, 2022
- advanced persistent threat
June 2, 2022
The Trickbot malware is a popular trojan used for attacks against financial institutions and other industries. It is also known by various other names such as Wizard Spider, UNC1778, and Gold Blackburn. It first appeared in 2016 and is believed to be a successor to Dyreza because the malware’s code shares certain variable names which implies that the creators of the two were the same.
While initially created just to steal financial data it has evolved to become a full Malware-as-a-Service (MaaS) platform. In 2017 it was given a worm module as well as a module that harvests Outlook credentials. In 2018 it gained the ability to disable Microsoft Defender by abusing a PowerShell command and its encryption was also updated making it harder to analyze. In 2019 they updated their web injection features to be more effective against US mobile carriers. Additionally, its evasion methods have improved as its original cloning module Mworm was replaced by the module Nworm which allows it to run from memory, leaving no trace of its existence on an infected device.
After the initial compromise Trickbot collects information using Windows executables and looks for ways to spread itself within the network. It collects this information along with other sensitive data and sends it to a dedicated command-and-control (C2) server. Since it is a trojan, the purpose of Trickbot is to gain initial access to a network so that it can drop payloads that will exfiltrate the data found on an infected system. It is known to use Cobalt Strike to move laterally through a network and then deploy it's payloads.
As it is an initial access tool the best way to stop its execution is to discover it early on and get it out of your system. To prevent it from entering your system, users need to be cautious about suspicious emails from unknown sources containing vague subjects and attachments. Organizations can also implement a 24/7 monitoring program using a SIEM and EDR solution to catch potential malware after it’s gained access to the network.