Separate campaigns show how Trickbot has updated its execution and defense evasion techniques. First, the banking trojan can now be distributed as Dynamic Link Library (DLL) files, as first detected by Malware Traffic. Morphisec also reports that it has added Windows 10 exclusive features. Trend Micro researchers also encountered samples of these new variants.
Trickbot distributed via DLL
Trickbot usually loads through an EXE file with DLL modules. The new variant now uses DLL files as a loader. The trojan is being dropped by a Microsoft Word Document, which is presumed to have been spread using malicious attachments in spam emails. Upon initial infection, Trickbot appears as an MS-DOS application file. The trojan will then establish persistence on the infected Windows host. A scheduled task for dropping Trickbot as a DLL can then be seen.
Trickbot Windows 10 exclusive features
The threat actors behind Trickbot have also added Windows 10-exclusive features, possibly to avoid detection from sandboxes that mimic early Windows versions. This capability was added through the Trickbot downloader OSTAP.
The trojan spreads via Microsoft Word Document files. The malicious files follow the naming convention “i<7-9 random="" digits="">.doc" and usually contains a blurred image. The document claims to be protected, and for decryption, it requests to enable content so the user can see the clear image.
Defending against Trickbot
Having compromised over 250 million email accounts in 2019, Trickbot’s constant evolution is something that enterprises and users should keep an eye on. To defend against the trojan, enterprises are highly encouraged to conduct internal training on mitigating email threats. Employees should learn how to spot malicious emails, and avoid downloading attachments and clicking on links from unfamiliar sources.