Behaviors
- Dropped by Emotet's Malware-as-a-Service capability as part of secondary infection
- Remains undetected by user and gains persistence by creating a Scheduled Task
- Takes advantage of open redirections and server side injections to steal login information from user's banking session
- Steals user data such as login state, website preferences, personalized content
- Steals remote desktop application credentials, email credentials, internet browser credentials
- Steals computer data operating system (OS) information, memory information, user accounts, installed programs, installed services, network information
- Steals information regarding Point-of-Sale (POS) systems in the network
- Disables Windows Defender and lowers down machine security
Capabilities
- Information Theft
- Exploits
- Rootkit Capability
- Propagation
- Download Routine
Impact
- Financial loss - steals banking information
- Compromise system security - can disable someone's security software
- Violation of user privacy - gathers and steals user credentials of various applications
VSAPI
Detection/Policy/Rules | Pattern Branch/Version | Release Date |
---|---|---|
TrojanSpy.Win32.TRICKBOT.THCBOAI TrojanSpy.Win32.TRICKBOT.TIGOCAY TrojanSpy.Win32.TRICKBOT.TIGOCAS Trojan.W97M.TRICKBOT.A TrojanSpy.Win32.TRICKBOT.TIGOCBO TrojanSpy.Win32.TRICKBOT.SMTH TrojanSpy.Win32.TRICKBOT.TIGOCAW TrojanSpy.Win32.TRICKBOT.TIGOCBJ TrojanSpy.Win32.TRICKBOT.TIGOCBC TrojanSpy.Win32.TRICKBOT.SMXF TrojanSpy.Win32.TRICKBOT.THCBBAI TrojanSpy.Win32.TRICKBOT.THCAIAI TrojanSpy.Win32.TRICKBOT.TIGOCBH |
Ent OPR 14.885.01 | March 20, 2019 |
Trojan.VBS. TRICKBOT.SM TrojanSpy.Win32. TRICKBOT.CET |
ENT OPR 15.543.00 | December 7, 2019 |
TrendX
Detection/Policy/Rules |
---|
Troj.Win32.TRX.XXPE50F13006 TROJ.Win32.TRX.XXPE50FFF028 TSPY.Win32.TRX.XXPE50FFF029 Troj.Win32.TRX. XXPE50FFF033 |
Behavior Monitoring
Pattern Branch/Version | Release Date |
---|---|
TMTD OPR 1761 | March 12, 2018 |
TMTD OPR 1699 | September 8, 2017 |
TMTD OPR 1761 | September 30, 2019 |
Web Reputation
Detection/Policy/Rules | Pattern Branch/Version |
---|---|
URL Protection | In-the-cloud |
Anti-Spam
Detection/Policy/Rules | Pattern Branch/Version | Release Date |
---|---|---|
Email Protection | AS 4510.006 | March 25, 2019 |
- | AS Pattern 5092 | December 9, 2019 |
Network Patterns
Detection/Policy/Rules | Pattern Branch/Version | Release Date |
---|---|---|
HTTP_TRICKBOT_REQUEST | NCIP 1.13637.00 NCCP 1.13601.00 |
March 20, 2019 |
Recommendation
- Make sure to always use the latest pattern available to detect the old and new variants of RYUK Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
- Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
- You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
- For support assistance, please contact Trend Micro Technical Support.