Trickbot: Banking Trojan

Original Issue Date:- June 23, 2017
Virus Type:- Trojan/Botnet
Severity:-High

It has been reported that the new variants of the banking malware named as “TrickBot” is spreading. The malware mainly targets banks, payments processors and CRM systems. The infection vector used by the malware is similar to the tactics used by other banking Trojans such as dyreza, Dridex, Locky and Jaff ransomware, i.e. an macro embedded PDF/ documents files in emails which make use of PowerShell to fetch and deploy payloads on the targeted users.


The malware is capable of performing the following functions:

  • Steals Banking credentials of the targeted online banking users with on the fly HTML-injection and redirection attacks.
  • Contains fake banking URLs, which when browsed by the victims, is capable of intercepting the network traffic.
  • Make network connections to command and control server to fetch further droppers or payloads.
  • Check target environment specifiers, if found unfavorable conditions then it does not successfully execute itself.
  • Make use of different file extensions to evade detection by email security solutions.
  • Make use of browser manipulation techniques.
  • Launches customize redirection attacks.

Aliases:Generic.Trojan.TrickBot.41B29EF0(Ad-Aware), Backdoor.Agent.Trickbot (ALYac), Win32:TrickBot-B [Trj](Avast), Win32:TrickBot-B [Trj](AVG), Generic.Trojan.TrickBot.41B29EF0(BitDefender), TrojWare.Win32.TrickBot.A(Comodo), Generic.Trojan.TrickBot.41B29EF0(B)(Emsisoft), Generic.Trojan.TrickBot.41B29EF0(F-Secure), Generic.Trojan.TrickBot.41B29EF0(GData), Generic.Trojan.TrickBot.41B29EF0(eScan), Trojan.Trickybot(Symantec).

Indicators of compromise:

Network connections:


Malware makes an encrypted network connection to its command and control server. It make use of its own user agent named as "BotLoader" or "TrickLoader". It has also been reported that the command and control server used by the malware authors are actually set up on the compromised/ hacked wireless routers.

List of Malware MD5:

List of the MD5 hashes of the trickbot malware binaries are mentioned below:


  • 044F4F4491F3395F3046F60CAEF820C7
  • 070BABE9EF7820172ABC450B748EC277
  • 08BA011DF60438CCB9462E819E7EC722
  • 614ce512084d4c750fee535eeb0cb667
  • 66f03a4a6121472784a18ff1016fea21
  • f6f91bc05e9813ea9b5b7441ce1631e6

Note: For complete list of indicators of compromise, kindly refer to the references section.

Countermeasures:

  • Net-banking users should implement an Antivirus/Internet Security Suites on all of their devices including their mobile phones.
  • Restrict execution of powershell /WSCRIPT in  enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. Reference:https://www.fireeye.com/blog/threatresearch/2016/02/greater_visibilityt.html
  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif , .wsf and .scr files.
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
  • Exercise caution while installing third party applications or freeware software solutions.
  • Configure browsers to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Not allowing administrative access to systems, with the exception of special administrative accounts for administrators
  • Enable firewall at gateway or desktop level.
  • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
  • Install and scan anti malware engines and keep them up-to-date.
  • Block the attachments of file types, "exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf"

References