Trickbot Spreads as DLL, Comes with Upgrades Targeting Windows 10

Separate campaigns show how Trickbot has updated its execution and defense evasion techniques. First, the banking trojan can now be distributed as Dynamic Link Library (DLL) files, as first detected by Malware Traffic. Morphisec also reports that it has added Windows 10 exclusive features. Trend Micro researchers also encountered samples of these new variants.

Trickbot usually loads through an EXE file with DLL modules. The new variant now uses DLL files as a loader. The trojan is being dropped by a Microsoft Word Document, which is presumed to have been spread using malicious attachments in spam emails. Upon initial infection, Trickbot appears as an MS-DOS application file. The trojan will then establish persistence on the infected Windows host. A scheduled task for dropping Trickbot as a DLL can then be seen.

Trickbot was first discovered in August 2016 as a banking trojan that steals email credentials from infected computers. It then uses the compromised email accounts to spread malicious emails. Threat actors behind this notorious banking trojan have been actively updating it with new capabilities that make it more challenging to detect. It has also added additional features, such as detection evasion and screen-locking, and remote application credential-grabbing. Previous reports also saw it targeting OpenSSH and OpenVPN, and being distributed through highly obfuscated JavaScript files.

Trickbot Windows 10 exclusive features

The threat actors behind Trickbot have also added Windows 10-exclusive features, possibly to avoid detection from sandboxes that mimic early Windows versions. This capability was added through the Trickbot downloader OSTAP.

The trojan spreads via Microsoft Word Document files. The malicious files follow the naming convention “i<7-9 random="" digits="">.doc" and usually contains a blurred image. The document claims to be protected, and for decryption, it requests to enable content so the user can see the clear image.

Once the users enable content, the malicious macro will execute. There is also a concealed ActiveX control below the image, which uses MsRdpClient10NotSafeForScripting class for remote control. The malicious OSTAP JavaScript downloader is hidden in white-colored font in the lower part of the document body. This makes it unnoticeable to users but still visible to machines, enabling the OSTAP to execute.

Defending against Trickbot

Having compromised over 250 million email accounts in 2019, Trickbot’s constant evolution is something that enterprises and users should keep an eye on. To defend against the trojan, enterprises are highly encouraged to conduct internal training on mitigating email threats. Employees should learn how to spot malicious emails, and avoid downloading attachments and clicking on links from unfamiliar sources.

For tighter security against such threats, Trend Micro Email Security detects and stops spam before it can inflict more damage on the system. Enterprises can also rely on other security solutions for email and collaboration under the Trend Micro Smart Protection Suites: Trend Micro™ Deep Discovery Email Inspector™ and Trend Micro™ InterScan Messaging Security.

Indicators of Compromise

File Name	SHA 256	Trend Micro Pattern Detection	Trend Micro Predictive Machine Learning Detection
2020-02-25-DOCX-file-with-macro-for-Trickbot-gtag-red4.bin	7db5670a94d95cac01d2c58066f0a9e4 517adf6c907f8d7aa15eedc69ba704cf	Trojan.W97M.TRICKBOT.L	Downloader.VBA.TRX.XXVBAF01FF006
2020-02-25-scheduled-task-for-Trickbot-gtag-red4.txt	6aaa85bb1409738a63083350048fc5df 104600960454bc47b71520fe6408d9bf	Trojan.XML.TRICKBOT.CB	N/A
2020-02-25-Trickbot-gtag-red4-DLL.bin / d26db78f99749974.com	70b3da66ad99bca8703ef61d3f8406b3d 0b05ad60d10318270f41a064d065791	TrojanSpy.Win32.TRICKBOT.DLL	Troj.Win32.TRX.XXPE50FFF034
ban3j.bat	78b04ee46913669be6588fb82ce5b511 dd5865f9dbd5b904681ae2816e723e8b	Trojan.BAT.TRICKBOT.AMT	N/A
c63f2739765d000000a85ab79e249e65-file_36254b3f04e27e6ecb138eb4dfe0675b-2020-02-25 15-12-55 / List1.jse	8187c859f6667e0d58ecda5f89d64e64a 53d1ffa72943704700f976b197e6b74	Worm.JS.JASCREX.A	N/A
List1.bat	2f1d06c3edf1eb4044279924de4d2485 144fcd270056d5cfc4489d7b3e428c9f	Trojan.BAT.STARTER.TIAOOAAW	N/A
ndj34h.bat	5c80c0b1c58986637f982055d01fb9ec 2721617daefcdbdfafaae1eb393e72dc	Trojan.BAT.POWLOAD.TIAOEJY	N/A
settings.ini	3626d672f2ceea178c6267cd6ce9d370 52199ee8988aa9d3bbde5cd094af0c6a	Trojan.BAT.TRICKBOT.CFG	N/A