Trickbot is a banking Trojan which is used in cyber attacks against small and medium-sized businesses. It is designed to access online accounts, especially bank accounts to obtain Personally Identifiable Information (PII) to be used in identity fraud.

Trickbot was first discovered on August 2016 as a banking Trojan which infected computers to steal email passwords and address books to spread malicious emails from compromised email accounts. It had developed new capabilities and techniques with new modules to trick users into revealing their online banking credentials. It then exfiltrates and receives the information on the attacker’s side.

Trickbot now has an additional spamming module which is known as “TrickBooster” which sends spam mails from infected computers to increase the spread of Trickbot infections. It then removes the sent messages from both outbox and sent item folders to avoid detection. It is commonly distributed in spearphishing attacks by using fake invoices and bank documents. This malware can also leverage a vulnerability in Server Message Block (SMB) to quickly propagate to other systems on the same network. Emotet, another widespread Trojan malware is also known to drop Trickbot as part of its secondary infection in Emotet-infected machines.

Some of Trickbot’s new modules steal credentials for remote computer access with a newer version targeting passwords for Virtual Networking Computing (VCN), PuTTY and Remote Desktop Protocol (RDP). The other modules perform tasks for stealing bank information, system/network reconnaissance, credential harvesting, and network propagation.