Trickbot Spreads as DLL, Comes with Upgrades Targeting Windows 10
Trickbot distributed via DLL
Trickbot was first discovered in August 2016 as a banking trojan that steals email credentials from infected computers. It then uses the compromised email accounts to spread malicious emails. Threat actors behind this notorious banking trojan have been actively updating it with new capabilities that make it more challenging to detect. It has also added additional features, such as detection evasion and screen-locking, and remote application credential-grabbing. Previous reports also saw it targeting OpenSSH and OpenVPN, and being distributed through highly obfuscated JavaScript files.
Trickbot Windows 10 exclusive features
The threat actors behind Trickbot have also added Windows 10-exclusive features, possibly to avoid detection from sandboxes that mimic early Windows versions. This capability was added through the Trickbot downloader OSTAP.
The trojan spreads via Microsoft Word Document files. The malicious files follow the naming convention “i<7-9 random="" digits="">.doc" and usually contains a blurred image. The document claims to be protected, and for decryption, it requests to enable content so the user can see the clear image.
Once the users enable content, the malicious macro will execute. There is also a concealed ActiveX control below the image, which uses MsRdpClient10NotSafeForScripting class for remote control. The malicious OSTAP JavaScript downloader is hidden in white-colored font in the lower part of the document body. This makes it unnoticeable to users but still visible to machines, enabling the OSTAP to execute.
Defending against Trickbot
Having compromised over 250 million email accounts in 2019, Trickbot’s constant evolution is something that enterprises and users should keep an eye on. To defend against the trojan, enterprises are highly encouraged to conduct internal training on mitigating email threats. Employees should learn how to spot malicious emails, and avoid downloading attachments and clicking on links from unfamiliar sources.
For tighter security against such threats, Trend Micro Email Security detects and stops spam before it can inflict more damage on the system. Enterprises can also rely on other security solutions for email and collaboration under the Trend Micro Smart Protection Suites: Trend Micro™ Deep Discovery Email Inspector™ and Trend Micro™ InterScan Messaging Security.
Indicators of Compromise
File Name |
SHA 256 | Trend Micro Pattern Detection |
Trend Micro Predictive Machine Learning Detection |
2020-02-25-DOCX-file-with-macro-for-Trickbot-gtag-red4.bin | 7db5670a94d95cac01d2c58066f0a9e4 517adf6c907f8d7aa15eedc69ba704cf |
Trojan.W97M.TRICKBOT.L | Downloader.VBA.TRX.XXVBAF01FF006 |
2020-02-25-scheduled-task-for-Trickbot-gtag-red4.txt | 6aaa85bb1409738a63083350048fc5df 104600960454bc47b71520fe6408d9bf |
Trojan.XML.TRICKBOT.CB | N/A |
2020-02-25-Trickbot-gtag-red4-DLL.bin / d26db78f99749974.com | 70b3da66ad99bca8703ef61d3f8406b3d 0b05ad60d10318270f41a064d065791 |
TrojanSpy.Win32.TRICKBOT.DLL | Troj.Win32.TRX.XXPE50FFF034 |
ban3j.bat | 78b04ee46913669be6588fb82ce5b511 dd5865f9dbd5b904681ae2816e723e8b |
Trojan.BAT.TRICKBOT.AMT | N/A |
c63f2739765d000000a85ab79e249e65-file_36254b3f04e27e6ecb138eb4dfe0675b-2020-02-25 15-12-55 / List1.jse | 8187c859f6667e0d58ecda5f89d64e64a 53d1ffa72943704700f976b197e6b74 |
Worm.JS.JASCREX.A | N/A |
List1.bat | 2f1d06c3edf1eb4044279924de4d2485 144fcd270056d5cfc4489d7b3e428c9f |
Trojan.BAT.STARTER.TIAOOAAW | N/A |
ndj34h.bat | 5c80c0b1c58986637f982055d01fb9ec 2721617daefcdbdfafaae1eb393e72dc |
Trojan.BAT.POWLOAD.TIAOEJY | N/A |
settings.ini | 3626d672f2ceea178c6267cd6ce9d370 52199ee8988aa9d3bbde5cd094af0c6a |
Trojan.BAT.TRICKBOT.CFG | N/A |
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.