Trickbot Spreads as DLL, Comes with Upgrades Targeting Windows 10

Separate campaigns show how Trickbot has updated its execution and defense evasion techniques. First, the banking trojan can now be distributed as Dynamic Link Library (DLL) files, as first detected by Malware Traffic. Morphisec also reports that it has added Windows 10 exclusive features. Trend Micro researchers also encountered samples of these new variants.

Trickbot distributed via DLL

Trickbot usually loads through an EXE file with DLL modules. The new variant now uses DLL files as a loader. The trojan is being dropped by a Microsoft Word Document, which is presumed to have been spread using malicious attachments in spam emails. Upon initial infection, Trickbot appears as an MS-DOS application file. The trojan will then establish persistence on the infected Windows host. A scheduled task for dropping Trickbot as a DLL can then be seen.

Trickbot was first discovered in August 2016 as a banking trojan that steals email credentials from infected computers. It then uses the compromised email accounts to spread malicious emails. Threat actors behind this notorious banking trojan have been actively updating it with new capabilities that make it more challenging to detect. It has also added additional features, such as detection evasion and screen-locking, and remote application credential-grabbing. Previous reports also saw it targeting OpenSSH and OpenVPN, and being distributed through highly obfuscated JavaScript files.

Trickbot Windows 10 exclusive features

The threat actors behind Trickbot have also added Windows 10-exclusive features, possibly to avoid detection from sandboxes that mimic early Windows versions. This capability was added through the Trickbot downloader OSTAP.

The trojan spreads via Microsoft Word Document files. The malicious files follow the naming convention “i<7-9 random="" digits="">.doc" and usually contains a blurred image. The document claims to be protected, and for decryption, it requests to enable content so the user can see the clear image.

Once the users enable content, the malicious macro will execute. There is also a concealed ActiveX control below the image, which uses MsRdpClient10NotSafeForScripting class for remote control. The malicious OSTAP JavaScript downloader is hidden in white-colored font in the lower part of the document body. This makes it unnoticeable to users but still visible to machines, enabling the OSTAP to execute.

Defending against Trickbot

Having compromised over 250 million email accounts in 2019, Trickbot’s constant evolution is something that enterprises and users should keep an eye on. To defend against the trojan, enterprises are highly encouraged to conduct internal training on mitigating email threats. Employees should learn how to spot malicious emails, and avoid downloading attachments and clicking on links from unfamiliar sources.

For tighter security against such threats, Trend Micro Email Security detects and stops spam before it can inflict more damage on the system. Enterprises can also rely on other security solutions for email and collaboration under the Trend Micro Smart Protection Suites: Trend Micro™ Deep Discovery Email Inspector™ and Trend Micro™ InterScan Messaging Security.

