Trickbot is a banking malware that targets Windows machines, developed around 2016, and already with a lot of features. Many of those inspired on another banking trojan called Dyreza, according to Malware Bytes analysis. As if it was not enough by targeting a wide array of international banks, Trickbot can also steal Bitcoin wallets. Making it a very destructive malware and not only a banking threat, but a financial one. It combines two different approach to steal bank information from its victims, it can try to extract the credentials from banks and platform or it can also use a fake phishing page to trick victims into sending their credentials.
The malware is highly customizable and was created following a modular implementation, making it easier to add more and more features over time. And all its modules, with their specific task, are also accompanied by a configuration file. One interesting characteristic of the malware is the use of hacked wireless routers as Command & Center (C&C).
For infection, Trickbot uses a series of spam campaigns using fake emails with an attachment as mechanism for distribution. It can also use an URL in the email body to trick the victim into download the malware. Until it gets to the payload itself, the execution falls through a number of processes culminating finally in PowerShell being used to download the final payload (pointer.exe). The malware then uses the system’s Task Scheduler as a way to run automatically. Another key characteristic of the malware is the use of the already old EternalBlue exploit to propagate between systems.
However, a new variant of the malware spotted in mid-October is now able to steal credentials from a number of applications such as: Microsoft Outlook, WinSCP and Filezilla. This is possible due to a new module the malware downloads after infection, called “pwgrab32”. But it isn’t all, Trickbot can also steal your web browsers information including cookies, your browser history, autofill information (potentially having sensitive information) and username and passwords. All that in addition to what it already does, which is steal your money.
Trickbot now stealing credentials and it’s clear that malware writers are adding more features to their arsenal with time. That said, it’s important to have constant watch over your systems. Get in touch with LIFARS if you suspect you were a victim of extortion or if you believe your bank credentials were stolen. Our team has proved experience in the field!