We have observed variants of this threat exhibit various behaviors. This analysis is based on the following sample file (SHA-256):
Trickbot is modular in design, and it affords a lot of flexibility to attackers. There are numerous Trickbot modules with different capabilities. Campaign operators use different modules depending on their intentions.
The main Trickbot module establishes a connection with a command-and-control (C2) server. It then receives commands and downloads, installs, and monitors various modules.
Arrival
Campaign operators distribute Trickbot by sending phishing messages that contain either a malicious document or a link that downloads the same or a similar document. The malicious document downloads and executes an initial Trickbot payload on the device. This initial payload is the only file physically present on the infected device. The initial payload allocates memory and decrypts the loader.
Initial execution by Trickbot loader
The Trickbot loader runs in memory. When first launched on a device, the Trickbot loader creates an array of encrypted functions on the stack.
Each function is specified by its index in the array of the encrypted function offsets. The loader decrypts various strings that store the configuration information. Each function is decrypted at runtime, executed, and then encrypted again.
The array of encrypted strings also specifies the API that is used to create suspended processes into which the main Trickbot module is to be injected. The loader resolves APIs dynamically at runtime and builds an import address table in the memory of the malicious process.
The loader uses UAC bypass to gain administrator privileges.
Behavior on 64-bit devices
On 64-bit systems, Trickbot uses the heaven’s gate technique to switch from 32-bit code to 64-bit code. After the switch, the 64-bit loader injects the main Trickbot module in the suspended process. The template for the heaven’s gate code is hard-coded in one of the functions decrypted by the loader.
Execution of the main module
The specific steps involved in the execution of the main module and their sequence vary for different variants. The major tasks performed by the main module are:
- Collection of information about the infected system
- Decryption of the public key, used in TLS communication
- Creation of a directory – Trickbot creates a directory and moves itself there. It creates processes and file paths that mimic legitimate applications. In one case, it created a home directory under the address: Microsoft\Windows\Start Menu\Programs\AudibleFree
- Creation of scheduled tasks
- Decryption of initial configuration information
Security evasion
Trickbot checks the IP address of the device it is running on to see if the device belongs to one of the following URL reputation services:
- zen.spamhaus.org
- cbl.abuseat.org
- b.barracudacentral.org
- dnsbl-1.uceprotect.net
- spam.dnsbl.sorbs.net
In addition, Trickbot detects automated malware analysis sandboxes and antivirus products.
Scheduled tasks
Trickbot achieves persistence by installing scheduled tasks on the infected system. In one instance, it created a task called AudibleFree, mimicking a popular audiobook service.
The details of the scheduled tasks are also communicated via the array of encrypted strings and decrypted at runtime.
Command and control
Trickbot arrives with an initial configuration—decrypted in an allocated heap at runtime—that consists of a version number, a group identifier called gtag, a list of C2 servers, and autorun instructions for the first module. To obtain additional configuration information, including additional modules to download and use, Trickbot establishes TLS connections with the C2 servers. It calls out to the C2 servers using one of the following request templates, each with its own meaning and utilized for more than one task:
- %s/%s/63/%s/%s/%s/%s/
- /%s/%s/10/%s/%s/%d/
- /%s/%s/23/%d/
- /%s/%s/5/%s/
- /%s/%s/0/%s/%s/%s/%s/%s/
- /%s/%s/14/%s/%s/0/
- /%s/%s/1/%s/
- /%s/%s/25/%s/
- %s/%s/64/%s/%s/%s/
It monitors the status of the downloaded modules through continuous communications between the main module and the downloaded modules.
Trickbot encrypts all communications. It decrypts the public key at runtime and decrypts all responses from the C2 server in memory. In one instance, Trickbot was observed using the following public key:
Additional modules
Depending on the intention of its operators for a particular intrusion, Trickbot can download and deploy various modules that provide all kinds of functionality. Microsoft security researchers have seen Trickbot modules with the following names:
- pwgrab
- networkDll
- importDll
- injectDll
- mshareDll
- nwormDll
- rdpscanDll
- tabDll
