TrickBot explained: A multi-purpose crimeware tool that haunted businesses for years

What is TrickBot?

TrickBot is one of the longest-lived botnets on the internet and represents a major threat to businesses and other organizations because it serves as a distribution platform for the infamous Ryuk ransomware and other threat actors. In October, Microsoft together with several partners launched a coordinated action to disrupt the botnet’s command-and-control (C2) infrastructure, and while the battle for control of the botnet is ongoing, the TrickBot gang already has a backup plan in place: an even stealthier crimeware tool they’ve been developing since earlier this year.

“TrickBot has infected over a million computing devices around the world since late 2016,” Microsoft said when announcing the TrickBot takedown operation. “While the exact identity of the operators is unknown, research suggests they serve both nation-states and criminal networks for a variety of objectives.”

TrickBot’s evolution

TrickBot, also known as TrickLoader, started out as a Trojan program focused on stealing online banking credentials and piggybacking browsing sessions to initiate fraudulent transfers directly from victims’ computers. It is considered the successor of the Dyre or Dyreza Trojan, which itself spun off from the GameOver Zeus operation and the larger cybercrime group behind it known as the Business Club. The rise of banking Trojans over the past decade gave birth to the crimeware-as-a-service model that powers today’s cybercrime economy. TrickBot is a prime example of that development.

Thanks to its modular architecture, TrickBot evolved into a multi-purpose platform whose capabilities far exceed the theft of online banking credentials. Researchers from antivirus firm ESET who have tracked the botnet from its early beginnings have seen over 28 different plugins developed for it. These modules added features like RDP scanning, email searching, VNC-based remote desktop, worm-like lateral movement through the SMB EternalRomance and EternalBlue exploits, and more.

“In 2020 alone, our automatic platform analyzed more than 125,000 malicious samples and downloaded and decrypted more than 40,000 configuration files used by the different TrickBot modules,” the ESET researchers said in a recent report. The company was one of the partners involved in the Microsoft-led takedown operation.

In recent years, TrickBot has been increasingly used as an intrusion and reconnaissance tool rather than a traditional banking Trojan, with its creators relying on it to sell access into corporate networks to other hackers who want to deploy their own malware. A good example is the Ryuk ransomware, which for a long time was almost exclusively distributed through TrickBot.

The group behind Ryuk often spends months mapping the networks of high-value targets and performs lateral movement through manual hacking techniques. Their goal is to gain full administrative control and to deploy the ransomware on as many computers as possible in one go for maximum impact. While Ryuk is almost always preceded by a TrickBot infection, not all TrickBot infections lead to Ryuk, suggesting the gang behind this ransomware program carefully chooses its victims from the larger pool of networks and systems infected with the Trojan.

Because TrickBot access is rented to multiple groups, infected computers often end up hosting post-exploitation tools such as PowerShell Empire, Metasploit and Cobalt Strike; credential theft tools like Mimikatz and LaZagne; or network reconnaissance tools like BloodHound and ADFind. These complement the capabilities already built into the Trojan and its plugins.

Recently, researchers from security firms Eclypsium and Advanced Intelligence observed a new TrickBot module that enables attackers to search for misconfigurations and vulnerabilities in the BIOS/UEFI firmware of compromised computers. In the future, this capability can be leveraged to brick systems by corrupting the firmware, or to deploy highly persistent low-level malware implants that are extremely hard to detect and remove.

TrickBot’s distribution

TrickBot has historically been distributed through email phishing campaigns carrying malicious attachments—usually Word or Excel documents with rogue macros, but also Java Network Launch Protocol (.jnlp) files. These email campaigns are widespread and indiscriminately target both organizations and consumers. Their lures include fake notices about shipments, invoices, receipts, payments, declarations, and other financial-related things, but can also be inspired by current events. For example, some TrickBot campaigns observed this year tried to exploit the public’s interest in the Black Lives Matter movement and the COVID-19 pandemic and some used malicious links to websites instead of attachments.

“The sender infrastructure for all these emails varied as well,” Microsoft said in a report. “In most campaigns, operators used compromised legitimate email accounts and compromised marketing platforms to distribute the malicious emails. However, in one instance, the operators registered several domains using less popular top-level domains (TLDs) such as ‘.monster’ and ‘.us’ to create their own mail server and send malicious emails from attacker-defined email addresses.”

According to telemetry data from ESET gathered between October 2019 and October 2020, the spread of TrickBot is global, impacting users from all continents. The TrickBot variants deployed by each campaign contain different group tags (gtags), which is a way for attackers to track the success of each individual campaign.

The TrickBot gang also seems to have a close relationship with the cybercriminals behind another banking Trojan and botnet called Emotet. These two malware families distribute each other, so TrickBot will also often be installed on computers by Emotet.

TrickBot’s takedown and future

On October 12, 2020, Microsoft announced that it obtained a US court order allowing it and its partners to disable IP addresses used by TrickBot C2 servers and to render those servers and their content inaccessible to the botnet’s operators. The company worked with telecommunication providers around the world to implement the technical action, as well as with other industry partners including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec. The company’s effort followed an unsuccessful attempt a few weeks prior, reportedly by the US Cyber Command, to disrupt the botnet by pushing configuration files to infected computers that would cut them off from the C2 infrastructure.

According to an analysis by security intelligence firm Intel 471, the TrickBot operators fought back and attempted to regain control after October 13 by setting up new infrastructure and distributing new TrickBot samples through Emotet and email spam campaigns. However, the number of active TrickBot C2 servers kept dropping and by November 6 the company couldn’t find any that was still active. That said, a spam campaign distributing a new version of TrickBot was seen on November 9, suggesting the attackers haven’t given up.

Microsoft said that it’s working with ISPs and national CERTs to help infected users clean their computers, but it remains to be seen how successful this will be and if it will mean the death of TrickBot in the long run. Even if it is, the hackers have a backup plan in place.

In July 2020, researchers from Cybereason reported that the TrickBot group was working on a new malware toolset and developed a loader and backdoor program called Bazar. While it shares some techniques and infrastructure with TrickBot, this new malware family was developed with evasion, stealth, and persistence in mind and uses blockchain DNS domains making it more resilient to takedown attempts.

Since this new threat surfaced, security firms have already seen it deploying the Ryuk ransomware. So, the TrickBot group had already begun transitioning its high-value customers to this newer malware loader before the future of its primary botnet was threatened.

Last year, researchers also reported that the TrickBot gang developed a special component called Anchor that seemed to cater to APT groups, signaling an expansion of the gang’s customer base to include nation-state actors. Anchor was seen delivering backdoor tools that are associated with Lazarus, North Korea’s state-funded cyberespionage arm. These developments suggest that even if the TrickBot botnet doesn’t recover, the cybercrime group behind it is not going away anytime soon.

“Regardless of the switch from TrickBot to BazarLoader, we are encouraged by the overall impact of disruption activity against TrickBot’s infrastructure,” the Intel 471 researchers said. “At the very least, this disruption activity caused the actors behind TrickBot to spend time and effort setting up new infrastructure instead of impacting and ransoming victims.”