Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

TRICKBOT’s newly released modules makes it even trickier

    • Updated:
    • 10 Dec 2019
    • Product/Version:
    • Deep Security
    • Email Encryption Gateway
    • OfficeScan
    • Worry-Free Business Security Advanced
    • Platform:
    • N/A N/A
Summary

Trickbot was first discovered on August 2016 as a banking Trojan which infected computers to steal email passwords and address books to spread malicious emails from compromised email accounts. It had developed new capabilities and techniques with new modules to trick users into revealing their online banking credentials. It then exfiltrates and receives the information on the attacker’s side.

Trickbot now has an additional spamming module which is known as “TrickBooster” which sends spam mails from infected computers to increase the spread of Trickbot infections. It then removes the sent messages from both outbox and sent item folders to avoid detection. It is commonly distributed in spearphishing attacks by using fake invoices and bank documents. This malware can also leverage a vulnerability in Server Message Block (SMB) to quickly propagate to other systems on the same network. Emotet, another widespread Trojan malware is also known to drop Trickbot as part of its secondary infection in Emotet-infected machines.

Behaviors

  • Dropped by Emotet’s Malware-as-a-Service capability as part of secondary infection
  • Remains undetected by user and gains persistence by creating a Scheduled Task
  • Takes advantage of open redirections and server side injections to steal login information from user’s banking session
  • Steals user data such as login state, website preferences, personalized content
  • Steals remote desktop application credentials, email credentials, internet browser credentials
  • Steals computer data operating system (OS) information, memory information, user accounts, installed programs, installed services, network information
  • Steals information regarding Point-of-Sale (POS) systems in the network
  • Disables Windows Defender and lowers down machine security

Capabilities

  • Information Theft
  • Exploits
  • Propagation

Impact

  • Financial loss – steals banking information
  • Compromise system security - can disable someone’s security software
  • Violation of user privacy - gathers and steals user credentials of various applications

Additional Reference

Infection Chain

Trickbot infection chain

Details
Public
Solution ModulesPattern BranchRelease DateDetection/Policy/Rules
Email ProtectionAS Pattern 5092December 9, 2019-
URL ProtectionIn the Cloud--
Advanced Threat Scan Engine (ATSE)15.543.00December 7, 2019-
Predictive Learning (TrendX)In the Cloud-Troj.Win32.TRX. XXPE50FFF033
File detection (VSAPI)ENT OPR 15.543.00December 7, 2019Trojan.VBS. TRICKBOT.SM
TrojanSpy.Win32. TRICKBOT.CET
Network File PatternNCIP 1.13637.00
NCCP 1.13601.00
March 20, 2019March 20, 2019
Network Pattern-December 7, 2019-
Behavioral Monitoring (AEGIS)TMTD OPR 1761September 30, 2019-

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of Trickbot.

Please refer to the KB article on How to best protect your network using Trend Micro products.
You may also check the atricle on Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, please contact Trend Micro Technical Support.

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1122411
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.