Trickbot Spreads as DLL, Comes with Upgrades Targeting Windows 10

Additional insights by Angelo Deveraturda

Separate campaigns show how Trickbot has updated its execution and defense evasion techniques. First, the banking trojan can now be distributed as Dynamic Link Library (DLL) files, as first detected by Malware Traffic. Morphisec also reports that it has added Windows 10 exclusive features. Trend Micro researchers also encountered samples of these new variants.

Trickbot distributed via DLL

Trickbot usually loads through an EXE file with DLL modules. The new variant now uses DLL files as a loader. The trojan is being dropped by a Microsoft Word Document, which is presumed to have been spread using malicious attachments in spam emails. Upon initial infection, Trickbot appears as an MS-DOS application file. The trojan will then establish persistence on the infected Windows host. A scheduled task for dropping Trickbot as a DLL can then be seen.

Trickbot was first discovered in August 2016 as a banking trojan that steals email credentials from infected computers. It then uses the compromised email accounts to spread malicious emails. Threat actors behind this notorious banking trojan have been actively updating it with new capabilities that make it more challenging to detect. It has also added additional features, such as detection evasion and screen-locking, and remote application credential-grabbing. Previous reports also saw it targeting OpenSSH and OpenVPN, and being distributed through highly obfuscated JavaScript files.

Trickbot Windows 10 exclusive features

The threat actors behind Trickbot have also added Windows 10-exclusive features, possibly to avoid detection from sandboxes that mimic early Windows versions. This capability was added through the Trickbot downloader OSTAP.

The trojan spreads via Microsoft Word Document files. The malicious files follow the naming convention “i<7-9 random="" digits="">.doc" and usually contains a blurred image. The document claims to be protected, and for decryption, it requests to enable content so the user can see the clear image.

Once the users enable content, the malicious macro will execute. There is also a concealed ActiveX control below the image, which uses MsRdpClient10NotSafeForScripting class for remote control. The malicious OSTAP JavaScript downloader is hidden in white-colored font in the lower part of the document body. This makes it unnoticeable to users but still visible to machines, enabling the OSTAP to execute.

Defending against Trickbot

Having compromised over 250 million email accounts in 2019, Trickbot’s constant evolution is something that enterprises and users should keep an eye on. To defend against the trojan, enterprises are highly encouraged to conduct internal training on mitigating email threats. Employees should learn how to spot malicious emails, and avoid downloading attachments and clicking on links from unfamiliar sources.

For tighter security against such threats, Trend Micro Email Security detects and stops spam before it can inflict more damage on the system. Enterprises can also rely on other security solutions for email and collaboration under the Trend Micro Smart Protection Suites: Trend Micro™ Deep Discovery Email Inspector™ and Trend Micro™ InterScan Messaging Security.

Indicators of Compromise

File Name
SHA 256 Trend Micro
Pattern Detection
Trend Micro Predictive
Machine Learning Detection
2020-02-25-DOCX-file-with-macro-for-Trickbot-gtag-red4.bin 7db5670a94d95cac01d2c58066f0a9e4
Trojan.W97M.TRICKBOT.L Downloader.VBA.TRX.XXVBAF01FF006
2020-02-25-scheduled-task-for-Trickbot-gtag-red4.txt 6aaa85bb1409738a63083350048fc5df
2020-02-25-Trickbot-gtag-red4-DLL.bin / 70b3da66ad99bca8703ef61d3f8406b3d
TrojanSpy.Win32.TRICKBOT.DLL Troj.Win32.TRX.XXPE50FFF034
ban3j.bat 78b04ee46913669be6588fb82ce5b511
c63f2739765d000000a85ab79e249e65-file_36254b3f04e27e6ecb138eb4dfe0675b-2020-02-25 15-12-55 / List1.jse 8187c859f6667e0d58ecda5f89d64e64a
List1.bat 2f1d06c3edf1eb4044279924de4d2485
ndj34h.bat 5c80c0b1c58986637f982055d01fb9ec
settings.ini 3626d672f2ceea178c6267cd6ce9d370

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.