The TrickBot Trojan is a complex banking Trojan that was first identified in 2016. While the malware was first just an information stealer dedicated to stealing online banking credentials, the malware has evolved massively  over the past four years and several modules have been added that provide a host of other malicious capabilities.

The TrickBot Trojan’s information stealing capabilities have been greatly enhanced. In addition to banking credentials, it will steal system and network data, email credentials, tax data, and intellectual property. TrickBot is capable of moving laterally and silently infecting other computers on the network using authentic Windows utilities and the EternalRomance exploit for the SMBv1 vulnerability. The malware can place a backdoor for persistent access. TrickBot also acts as a malware installer and will download other malicious payloads, such as Ryuk ransomware.

The Trojan is often updated and new variants are regularly made available. The Command and Control infrastructure is also constantly changing. According to a review by Bitdefender, more than 100 new IPs are added to its C&C infrastructure each month with each having a lifespan of around 16 days. The malware and its infrastructure are highly complex, and while steps have been taken to dismantle the operation, the hackers are managing to stay one step ahead.

TrickBot is primarily shared using spam email through the Emotet botnet. Infection with Emotet sees TrickBot downloaded, and infection with TrickBot sees a computer added to the Emotet botnet. Once all useful data has been obtained from an infected system, the baton is passed over to the Ryuk ransomware operators with a reverse shell opened giving the Ryuk ransomware operators access to the netword.

A recent review of a variant captured by Bitdefender on January 30, 2020 has shown another method of distribution has been added to its arsenal. The Trojan now has a module for bruteforcing RDP. The brute force RDP attacks are mainly being carried out on organizations in the financial services, education, and telecom industries and are currently targeted on organizations in the United States and Hong Kong at this stage, although it is likely that the attacks will spread region-by-region over the coming weeks. The attacks are being conducted to steal intellectual property and financial data.

Since the TrickBot Trojan is modular, it can be always be updated with new features and the evolution of the malware so far, and its success, means it will go on being a threat for some time to come. Thankfully, it is possible to prevent infections by practicing good cyber hygiene.

Spam is still the main method of delivery for both the Emotet Trojan and TrickBot so an advanced spam filter is vital. Since new variants are constantly being made available, signature-based detection methods alone are not enough. SpamTitan incorporates a Bitdefender-powered sandbox to analyze suspicious email attachments for malicious activity. This ensures the malicious activity of completely new malware variants is identified and the emails are quarantined before they can cause any damage.

If you don’t require RDP, ensure it is turned off. If you do, ensure access is restricted and strong passwords are established Use rate restricting to block login attempts after a set number of failures and ensure multifactor authentication is implemented to prevent stolen credentials from being used.

For additional details on SpamTitan Email Security and to find out how you can enhance your defenses against email and web-based attacks, contact the TitanHQ team now.