Trojan.TrickBot

Trojan.TrickBot is a Trojan that compromises bank accounts by monitoring bank site-specific data transactions, recording the user's input devices, or redirecting you to phishing sites. Like the Dyreza Trojan, a closely related threat, Trojan.TrickBot may not display symptoms before collecting your data and compromising your account. Rely on your anti-malware products for blocking this program's installation exploits or, in worst cases, removing Trojan.TrickBot before it hijacks your account.

When Trojan Tricks Trigger Twice

The path of a threat campaign's development often crosses with those of other threats, particularly ones with similar, widely-applicable payloads, such as a banking Trojan. With most copycats, malware experts can trace copy-pasted code or updates to an earlier threat, without which the authors would have few resources. Trojan.TrickBot, a new banking Trojan, blurs the lines of what constitutes an update for old threats by using the philosophy, but not necessarily the code, already seen in the Dyreza Trojan's campaign.

The Dyreza Trojan was a banking Trojan under maintenance by Russian con artists who were believed to be apprehended by the authorities after gathering millions of dollars. Now, the appearance of Trojan.TrickBot shows that at least one threat author related to the team may have escaped capture, or, alternately, been able to leak resources related to the Dyreza Trojan to other coders. Trojan.TrickBot shares many of the Dyreza Trojan's functions, but with all-new code written in C++, as opposed to the latter's C.

Trojan.TrickBot continues using a modular approach to compromising PCs, giving con artists the ability to add or remove features contained in specific modules between attacks. Malware experts saw the latest versions of Trojan.TrickBot, such as those targeting Australian bank users in September, using only one data-collecting modular component meant for siphoning account passwords and similar information.

However, Trojan.TrickBot's campaign also appears to be testing other attacks, such as HTML injection exploits that could modify a bank website page in the victim's browser (by asking for valuable information or redirecting you to seemingly legitimate phishing domains).

Putting the 'Treat' Bank into Your Bank Browsing

Trojan.TrickBot is an unusual example of a Trojan whose attacks borrow the implementation philosophy and hallmarks, but not necessarily the actual, underlying code of a past threat campaign. Since the coder maintaining Trojan.TrickBot is showing signs of being at least as competent as those of the Dyreza Trojan (also Dyre), similar sums of millions of dollars from hundreds of bank chains most likely are at risk.

Some of Trojan.TrickBot's infrastructure also harbors potential associations with threats connected to both the Dyreza Trojan and other banking Trojans previously. Victims may wish to refer to resources on the Cutwail spam botnet and the Pushdo Trojan downloader for further information. Spam is a particularly likely infection vector for Trojan.TrickBot, which installs itself with no symptoms and commits its data-collecting attacks without alerting the PC user, when possible.

PC users should patch their anti-malware threat databases in cases where their security software only has incorporated definitions for Trojan. TrickBot (whose first deployment dates to no earlier than September of 2016) in recent updates. Because of its high stealth features and a potential for committing other attacks not covered in full here, removing Trojan.TrickBot should always conclude with consulting your bank on additional security measures, when appropriate.

Although the Dyreza Trojan may be 'dead,' its spirit lives on in new threats accomplishing the same misdeeds with brand-new code.

Technical Details