TrickBot is a banking trojan that was first detected in September 2016 and since that time had been developed to incorporate the targeting of multiple geographies and online services. The malware was developed to gain unauthorized access to customer bank accounts to facilitate fraudulent transactions, but also targeted users of online services such as Salesforce and cryptocurrency services. The malware was reportedly delivered via spam emails containing malicious attachments, including those distributed by the Necurs botnet, and via the RIG exploit kit. In some cases, TrickBot used an exploit called EternalBlue (affects CVE-2017-0144) or Windows API calls to propagate in a local network. The functions and activities of TrickBot are reportedly very similar to the Dyre banking trojan, and it was assessed by researchers to be linked to this trojan, including that at least one of the developers of Dyre was involved in the development of TrickBot.
A combined effort by what was believed to be the Cyber Command Branch of the US Department of Defense and multiple security companies managed to severely disrupt the Trickbot botnet in early October 2020. On the 18th of October 2020, Microsoft reported that 94% of Trickbot’s botnet infrastructure had been crippled. On the 20th of October 2020, BleepingComputer reported that the TrickBot operation was "on the brink of completely shutting down following efforts from an alliance of cybersecurity and hosting providers targeting the botnet's command and control servers".
It will come as a shock to learn that BitDefender researchers observed a new version of Trickbot’s VNC module (also known as vncDLL) being deployed in May 2021 across the remaining C2 infrastructure. This, combined with the fact that researchers have also noticed a spike in C2 traffic worldwide, means that a new Trickbot campaign could be on the immediate horizon in Q3 of 2021.
Integrity360 are always closely monitoring for targeted threats towards our customers. New indicators of compromise that we find are automatically added in real-time to our MDR and incident response capability.
For more information please check the related content links listed below.
- Security Affairs - Trickbot improve its VNC module in recent attacks
- The Hacker News - Trickbot Malware Returns
This blog and its content is provided as a general guide to the subject matter. You should always seek specialist advice about your specific situation.