Views:

Behaviors

  • Dropped by Emotet's Malware-as-a-Service capability as part of secondary infection
  • Remains undetected by user and gains persistence by creating a Scheduled Task
  • Takes advantage of open redirections and server side injections to steal login information from user's banking session
  • Steals user data such as login state, website preferences, personalized content
  • Steals remote desktop application credentials, email credentials, internet browser credentials
  • Steals computer data operating system (OS) information, memory information, user accounts, installed programs, installed services, network information
  • Steals information regarding Point-of-Sale (POS) systems in the network
  • Disables Windows Defender and lowers down machine security

Capabilities

  • Information Theft
  • Exploits
  • Rootkit Capability
  • Propagation
  • Download Routine

Impact

  • Financial loss - steals banking information
  • Compromise system security - can disable someone's security software
  • Violation of user privacy - gathers and steals user credentials of various applications

VSAPI

Detection/Policy/Rules Pattern Branch/Version Release Date
TrojanSpy.Win32.TRICKBOT.THCBOAI
TrojanSpy.Win32.TRICKBOT.TIGOCAY
TrojanSpy.Win32.TRICKBOT.TIGOCAS
Trojan.W97M.TRICKBOT.A
TrojanSpy.Win32.TRICKBOT.TIGOCBO
TrojanSpy.Win32.TRICKBOT.SMTH
TrojanSpy.Win32.TRICKBOT.TIGOCAW
TrojanSpy.Win32.TRICKBOT.TIGOCBJ
TrojanSpy.Win32.TRICKBOT.TIGOCBC
TrojanSpy.Win32.TRICKBOT.SMXF
TrojanSpy.Win32.TRICKBOT.THCBBAI
TrojanSpy.Win32.TRICKBOT.THCAIAI
TrojanSpy.Win32.TRICKBOT.TIGOCBH
Ent OPR 14.885.01 March 20, 2019
Trojan.VBS. TRICKBOT.SM
TrojanSpy.Win32. TRICKBOT.CET
ENT OPR 15.543.00 December 7, 2019

TrendX

Detection/Policy/Rules
Troj.Win32.TRX.XXPE50F13006
TROJ.Win32.TRX.XXPE50FFF028
TSPY.Win32.TRX.XXPE50FFF029
Troj.Win32.TRX. XXPE50FFF033

Behavior Monitoring

Pattern Branch/Version Release Date
TMTD OPR 1761 March 12, 2018
TMTD OPR 1699 September 8, 2017
TMTD OPR 1761 September 30, 2019

Web Reputation

Detection/Policy/Rules Pattern Branch/Version
URL Protection In-the-cloud

Anti-Spam

Detection/Policy/Rules Pattern Branch/Version Release Date
Email Protection AS 4510.006 March 25, 2019
- AS Pattern 5092 December 9, 2019

Network Patterns

Detection/Policy/Rules Pattern Branch/Version Release Date
HTTP_TRICKBOT_REQUEST NCIP 1.13637.00
NCCP 1.13601.00
March 20, 2019

Recommendation

Threat Report

Blogs