|Type of Malware||Banking Trojan|
|Associated Groups||Wizard Spider, TA505|
|Date of Initial Activity||2016|
|Motivation||Targets businesses and consumers for their data, perform lateral movement and reconnaissance on a targeted organization , delivering targeted ransomware attack|
|Attack Vectors||Spearphishing campaigns, spam campaigns or other malware families such as Emotet and BazarLoader|
Trickbot is a modular banking Trojan, attributed to the WizardSpider cybercrime gang. Mostly delivered via spam campaigns or other malware families such as Emotet and BazarLoader. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules, including a VNC module for remote control and an SMB module for spreading within a compromised network.
TrickBot has the reputation of being the successor of Dyreza, another credential stealer that first appeared in the wild in 2014.
Initially banking sites, all sectors later. Also private individuals.
Tools/ Techniques Used
TrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which—if enabled—execute malware. The phishing emails contain links that redirect to a website hosted on a compromised server. Once downloaded to the infected device, the user is prompted to enable macros, which installs the TrickBot binary.
The malware then uses various models to infect the network and steal data. To set the stage for future attacks, the TrickBot operators may also attempt to disable antivirus protection. As part of a secondary attack, TrickBot can spread the malware laterally throughout the network, usually by exploiting a Server Message Block (SMB) vulnerability.
A follow-on attack, such as a Ryuk ransomware attack, is deployed by the TrickBot group. The attackers manually delete or encrypt backup files and twins. Ryuk encrypts all system data and initiates the ransomware attack path.