History of trickbot
TrickBot started off as a banking information stealer, but nothing about is simple—even right from the beginning.
When Malwarebytes researchers initially found TrickBot in 2016, it already boasted of attributes one does not normally see in “simple” credential stealers. Initially, it targeted financial services and users for banking data. It also drops other malware.
TrickBot has the reputation of being the successor of Dyreza, another credential stealer that first appeared in the wild in 2014. TrickBot shared similarities with Dyreza, such as certain variables with like values and the way TrickBot creators set up the command-and-control (C&C) servers TrickBot communicates with. This has led many researchers to believe that the person or group who created Dyreza also created TrickBot.
In 2017, developers included a worm module in TrickBot, which we believe was inspired by successful ransomware campaigns with worm-like capabilities, such as WannaCry and EternalPetya. The developers also added a module to harvest Outlook credentials. Why Outlook? Well, hundreds of organizations and millions of individuals worldwide usually use this webmail service. The range of data TrickBot steals also widened in range: cookies, browsing history, URLs visited, Flash LSO (Local Shared Objects), and many more.
Although these modules were new at that time, they weren’t coded well.
In 2018, TrickBot continued to exploit the SMB vulnerability. It was also equipped with the module that disables Windows Defender’s real-time monitoring using a PowerShell command. While it had also updated its encryption algorithm, the rest of its module function stayed the same. TrickBot developers also started securing their code from being taken apart by security researchers by incorporating obfuscation elements.
At the end of the year, TrickBot was ranked as the top threat against businesses, overtaking Emotet.
TrickBot developers made some changes to the Trojan in 2019 yet again. Specifically, they made changes to the way the webinject feature works against the US-based mobile carriers, Sprint, Verizon Wireless, and T-Mobile.
Recently, researchers have noted an improvement in this Trojan’s evasion method. Mworm, the module responsible for spreading a copy of itself, was replaced by a new module called Nworm. This new module alters TrickBot’s HTTP traffic, allowing it to run from memory after infecting a domain controller. This ensures that TrickBot doesn’t leave any traces of infection on affected machines.
|