Trickbot: Protecting Your Business from the Tricks of a Trojan

Some cyber threats have become infamous for being very successful. Trickbot or Trickloader is one such threat. Trickbot was discovered in 2016 when it was used as a banking trojan to gain unauthorized access to bank accounts. Today, Trickbot has moved into new cybercrime pastures, pivoting its remit to include other dangerous attacks, like ransomware infections.

What is a Trickbot?

Trickbot malware is highly adaptive and based on a modular architecture. This architecture allows the malware to be easily updated, so the malware constantly evolves. Malware developers use this modularity to extend Trickbot's capabilities. Modules have included the following examples:

• RDP (Remote Desktop Protocol) and Email Scanning: A Trickbot module was released that could brute-force RDP connections; RDP allows connectivity between computers across a network. The attackers used this to target companies in the telecoms industry.
• VNC-Based Remote Desktop: Trickbot hackers used the VNC update to control infected computers. Using this remote control, the attackers could download updated Trickbot payloads, open documents, access a user's email inbox, and steal data.
• UEFI (Unified Extensible Firmware Interface) Exploits: A new module, named PermaDll32, was designed to read information from the BIOS or UEFI firmware of infected computers. Perma was able to "brick" an infected computer, rendering it unusable.
• Open Port Scanner: The Trickbot masrv module was designed to scan for vulnerable open ports to exploit.

Once inside a network, Trickbot malware can spread like wildfire, opening backdoors for follow-on malware attacks. Trickbot malware can infect computers on a network and beyond to create a botnet.

Trickbot is available through a "malware-as-a-service" model. This makes the malicious software and its expanded functionality accessible to non-technical cybercriminals. Expanding its range of use.

How does Trickbot Work?

Like many forms of malware, Trickbot is delivered by phishing and spearphishing. Often, Trickbot attackers will manipulate user trust by impersonating well-known institutions. An example is a tax scam, where phishing emails that look exactly like emails from tax authorities are sent to companies and individuals. Other popular payroll and HR firms, such as Paychex, are used to trick victims into thinking they are dealing with legitimate emails. The phishing emails will contain malicious links or infected attachments. Trust established, it's easy for a person to click a link or download a malicious attachment. AI is increasingly used to make phishing campaigns more effective, making the detection and prevention of phishing challenging.

Trickbot malware has also been associated with exploit kits and infected ads, which means that victims simply need to visit a malicious website to become infected.

Trickbot is designed to work by stealth, being able to stay in situ on infected computers without being detected. It does this by using evasive tactics. Trickbot uses modules to identify and disable anti-virus tools like Windows Defender. Trickbot relies on remote control using a command and control module (C&C) to enable cybercriminals to communicate and connect infected devices across networks. The C&C also allows data to be sent back to cybercriminals.

Trickbot is often associated with follow-on malware infections, including ransomware strains, RYUK, and Diavol.

Why is Trickbot So Dangerous?

Trickbot is a highly successful malware variant and can be thought of as having multiple functions. The adaptability and expandability of Trick bot make it so dangerous.

• Credential and Sensitive Data Theft: Trickbot malware uses remote control and connects to other infected computers (bots) to send sensitive data, including login credentials and financial information, to a hacker.
• Privilege Escalation: Trickbot modules can facilitate privilege escalation. Privilege management is an essential aspect of identity security, preventing unauthorized access to sensitive areas of a network and data.
• Follow-On Attacks: Trickbot opens the door for follow-on attacks, like ransomware infection. Russian hacking group, WIZARD SPIDER, operates multiple ransomware families, including RYUK, Conti, and REvil, using TrickBot. The US government published a notice warning about Conti ransomware attacks, victims paying out over $150,000,000. The government offered a $10 million reward for information on the gang behind the attacks.
• Evasive Tactics: One of the reasons why Trickbot is so successful is its powers of evasion. Trickbot modules allow the malware to be remotely controlled so that hackers can modify the malware to help keep it hidden. Other modules are used to detect and disable anti-virus software.
• Installation of Backdoors for Remote Access to a Network: Trickbot allows hackers to connect multiple infected devices across a wide network, giving cybercriminals remote access control to carry out nefarious acts.

Infection by a Trickbot means that costs quickly add up. Below are indicative costs of some of the serious impacts of Trickbot attacks:

How to Prevent a Trickbot Infection

Trickbot malware is stealthy and evasive. This makes it difficult to detect and prevent. However, the following recommended measures can help protect your company against a Trickbot attack:

Run Network Scans

Network scanning software is used to locate vulnerabilities such as open ports. Some open-source tools provide specialist scanning to look for specific tell-tale signs of Trickbot infection. For example, Microsoft provides an open-source scanner that detects MikroTik-powered IoT devices that have been infected by Trickbot.

Patch and Update

Many Trickbot campaigns look for vulnerabilities in software and firmware, exploiting these to infect the device. Patch and update your systems promptly and routinely.

Advanced AI-Powered Anti-Malware

Next-generation anti-malware / anti-virus software uses AI and machine learning to help identify emerging and complex threats.

Robust Identity Management

Enforce Least Privilege Access Control (PoLP) and Zero Trust Identity Security to reduce the likelihood of privilege escalation providing access to sensitive areas of a network. Robust identity management also helps mitigate the impact of phishing-led credential theft.

Network Segmentation

Segmenting network areas, in accordance with a zero-trust architecture, can help mitigate the impact of a Trickbot infection taking over a network.

Security Awareness Training

Educate all employees on the dangers of phishing and how to identify phishing and social engineering attempts. Use phishing simulation exercises to train users about how phishing works.

Monitor the Dark Web

Dark web monitoring tools, like Sentinex, allow companies to look for signs that they are being targeted by cybercriminals. The tool can also look deeply into dark web forums and marketplaces to see if their company details are being sold to attackers. Having awareness that your organization is at risk helps protect against cyberattacks.

FAQs