Trickbot ‘Son of Dyre’

Each day, security operation centers and researchers alike wage battle against incoming waves of scanning, brute force attempts, and malicious email (i.e. malspam). It’s here, under the cover of so many spam campaigns, that we find the Trickbot banking trojan, which continues to successfully execute and evolve as one of most competent campaigns in today’s crimeware.

Trickbot is commonly believed to be the ‘son of Dyre’, a successful banking trojan campaign that suddenly went offline in November 2015. In September of the following year, a new banking trojan (calling itself ‘Trickbot’) appeared on the crimeware scene; shortly thereafter, its lineage from Dyre was well established in research from Fidelis, which provides strong evidence of an “obvious correlation between the code used in this bot [Trickbot] and that from Dyre”. This same conclusion was also reached in independent research by Malwarebytes.


Typical Trickbot Operations

Trickbot operations, as observed by @dvk01uk on April 6 2018, are representative of the campaign’s well established TTPs. In this instance, Necurs delivers a fake Her Majesty’s Revenue and Customs (HMRC) “Accelerated payment notice”, hmrc_19600418.doc, to the victim’s inbox.

This maldoc attempts to exploit CVE-2017-11882, a Microsoft Office memory corruption vulnerability, to deliver the Trickbot banking trojan (and subsequent downloaded modules).

Below, the network traffic shows the trojan downloading the Trickbot payload, hakus.png from bouwgoed[.]nl, hosted on TransIP at 149.210.163[.]2.

This payload contains a trickbot loader executable and a number of modules and configs. Once decoded, we’re able to examine the main configuration module <mcconf> and identify the trojan’s malware version <ver> (1000167), campaign identifier <gtag> (ser0406), C2 servers <srv>, and additional modules to <autorun> (e.g., “systeminfo” and “injectDll”).

Trickbot uses two different methods to target banking websites, web fakes and server side injection.  The static inject config supports ‘web fakes’, where an infected victim who is browsing to an online banking platform is redirected to a replica of the bank’s login page on a malicious server in order to steal their credentials.  The dynamic inject config supports server side injection of ‘form grabber’ code (javascript) to acquire victim credentials.

Each entry in the below configuration lists define a targeted banking website, the webinject type, and the IP address of a server hosting the webinject. 


A number of other core modules (and configs) are typically decoded from resources of the loader executable.  These (along with the those already shown) provide the core functionality of the banking trojan’s targeting, c2, intelligence collection, lateral movement, networking, exfiltration, etc. and have proven an area of near continuous development.

In addition to adopting EternalBlue and legitimate SSL certificates in mid-2017, the Trickbot group has established a strong cadence for introducing new modules (e.g., the LDAP “domain Grabber”, screen locker, and network collector modules all since Dec 2017) and also diversifying their revenue stream through crypto-currency targeting (e.g., Coinbase) and mining (e.g., Monero).

Examining the network traffic from the active infection from our fake HMRC “Accelerated payment notice”, we can see clear indications of Trickbot’s TLC encrypted C2. (Below)

It’s important to note that the trojan uses more than just port 443 for communications; ports 447 and 449 were also observed (to different IP addresses) for C2 and presumably exfil in this infection.  (Note: typical Trickbot infections see encrypted C2 active to multiple destinations across multiple ports including: 443, 444, 445, 449, and 451).

For more information on Trickbot’s TLS encrypted C2, please check out Symantec Director of Threat Research Andre Brandt’s presentation from BlueHat late last year.


Trending Campaign Activity

Because Trickbot is loosely targeted at the financial industry, don’t assume that multiple campaigns are not active at the same time. Even in limited observed activity, a number of active trickbot payloads appear staged (ready for download!) on April 6th.  More evidence to this fact, a number of active research efforts are also monitoring the various current Trickbot campaigns.


Trickbot binaries in play for 06apr

  • hXp://[.]id/png
  • hXp://[.]id/png
  • hXp://[.]id/att1.png
  • hXp://ebrotasa[.]com/png
  • hXp://ebrotasa[.]com/png
  • hXp://ebrotasa[.]com/lorbano.png
  • hXp://chimachinenow[.]com/att1.png
  • Source: @botNET


Current Trickbot research:

And while the Necurs botnet remains the primarily delivery mechanism for this banking trojan, it’s not uncommon to see other deliveries and even shared payloads.  Take for instance the 2017 Necurs and QtBot campaigns observed to deliver both Locky and Trickbot, and just recently Trickbot hashes were seen on the same McHost machine (shodan shot below) used for Gootkit payloads. Coincidence?  (Hashes of LNK files w/ same machineid – win-344vu98d3ru)

As for the overall scope of activity, EscInSecurity currently tracks the banking trojan’s historical campaigns, and below we can see that Trickbot actors don’t typically miss a beat.

As we near the two year mark for Trickbot operations (primarily targeting the financial vertical), it remains to be seen if the group can sustain their operations and new capabilities development efforts in order to prove themselves as successful as their Dyre predecessors.


Mitigation and Detection

While mitigation of the Trickbot banking trojan is best achieved through the application of email security control mechanisms such as  Domain Message Authentication Reporting & Conformance (or DMARC), maintaining currency with critical application patching (e.g., all things Microsoft) is as important if not more so.

As far as detection, JASK’s  Investigation capability (i.e. Zeppelin) can be leveraged to identify Trickbot’s TLS encrypted C2 to multiple destination IPs over ports 443, 444, 445, 449, and 451.

There are also a number of available (and open source) yara signatures for various elements of the Trickbot banking trojan; however, please bear in mind that the effectiveness of these signatures will vary depending on each organization’s network defense sensors and posturing.  A few examples are below:


rule trickbot_trojan
author = “[email protected]
description = “detects trickbot trojan”
$str_01 = “moduleconfig”
$str_02 = “Start”
$str_03 = “Control”
$str_04 = “FreeBuffer”
$str_05 = “Release”
all of ($str_*)


rule trickbot_dllinject_module
author = “[email protected]
description = ” detects trickbot dllinject module”
$str_01 = “user_pref(”
$str_02 = “<ignore_mask>”
$str_03 = “<require_header>”
$str_04 = “</dinj>”
$str_05 = “</sinj>”
all of ($str_*)


rule trickbot_sysinfo_module
author = “[email protected]
description = “detects trickbot systeminfo module”
$str_01 = “<program>”
$str_02 = “<service>”
$str_03 = “</systeminfo>”
$str_04 = “GetSystemInfo.pdb”
$str_05 = “</autostart>”
$str_06 = “</moduleconfig>”
all of ($str_*)


rule trickbot_mailsearcher_module
author = “[email protected]
description = “detects trickbot mailsearcher module”
$str_01 = “mailsearcher”
$str_02 = “handler”
$str_03 = “conf”
$str_04 = “ctl”
$str_05 = “SetConf”
$str_06 = “file”
$str_07 = “needinfo”
$str_08 = “mailconf”
all of ($str_*)


rule trickbot_network_module_in_memory
description = “detects trickbot network module in memory”
author = “@VK_Intel”
reference = “Detects unpacked Trickbot network64Dll”
date = “2018-04-02”
hash = “0df586aa0334dcbe047d24ce859d00e537fdb5e0ca41886dab27479b6fc61ba6”
$s0 = “***PROCESS LIST***” fullword wide
$s1 = “(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))” fullword wide
$s2 = “***USERS IN DOMAIN***” fullword wide
$s3 = “Operating System: %ls” fullword wide
$s4 = “<moduleconfig><autostart>yes</autostart><sys>yes</sys><needinfo name=\”id\”/><needinfo name=\”ip\”/><autoconf><conf ctl=\”SetCon” ascii
$s5 = “Content-Length: %lu” fullword wide
$s6 = “Boot Device – %ls” fullword wide
$s7 = “Serial Number – %ls” fullword wide
$s8 = “Content-Disposition: form-data; name=\”proclist\”” fullword ascii
$s9 = “Content-Disposition: form-data; name=\”sysinfo\”” fullword ascii
$s10 = “Product Type – Server” fullword wide
$s11 = “***SYSTEMINFO***” fullword wide
$s12 = “OS Version – %ls” fullword wide
$s13 = “(&(objectcategory=person)(samaccountname=*))” fullword wide
$s14 = “Product Type – Domain Controller” fullword wide
uint16(0) == 0x5a4d and filesize < 70KB and 12 of ($s*)



JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times.

Share on