Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2021.
TrickBot is a modular banking trojan that targets users’ financial information and acts as a dropper for other malware. Believed to be operated by a single group as a service, different users of the service tend to use different initial infection vectors for TrickBot, often first infecting systems with another malware family such as Emotet or IcedID. In some cases, TrickBot is the initial payload delivered directly from malicious email campaigns.
TrickBot primarily steals sensitive data and credentials and also has multiple additional modules enabling a more fully featured malware service. It has delivered follow-on payloads like Cobalt Strike that eventually lead to Ryuk and Conti ransomware. Other research teams have linked TrickBot code similarities to other malware families such as BazarBackdoor, PowerTrick, and Anchor. The threat group behind the development of these malware toolkits is referred to as WIZARD SPIDER by CrowdStrike.
This year’s big news around TrickBot occurred in October 2020, when U.S. Cyber Command and Microsoft conducted takedowns of TrickBot infrastructure. Researchers throughout the community debated how effective these takedowns were, but generally agreed there was some disruption. From Red Canary’s perspective, we saw no TrickBot activity in October, followed by fairly low numbers in November and December as compared to the rest of 2020. Around the same time of TrickBot’s decline, we also observed a rise in the prevalence of Bazar. While correlation is not causation, the timing of these patterns suggests WIZARD SPIDER (or other identifiers for the operators of these families) may have switched focus from TrickBot to Bazar.
Decline in prevalence
We observed TrickBot in fewer detections in 2020 as compared to 2019. Multiple TrickBot outbreaks in 2019 contributed largely to some of the top techniques in last year’s report, including Process Injection and Scheduled Task. While TrickBot still made it into our top 10 for 2020, it did not run rampant in environments in the same way we observed the previous year. Many of our TrickBot detections were only on the initial malicious executable being written, and we did not observe follow-on execution. Others were leftover TrickBot persistence via scheduled tasks that had not been cleaned up. Overall, this tells us that throughout 2020, TrickBot had less success in follow-on exploitation than it did in 2019. This suggests, but does not confirm, that TrickBot may have already been decreasing in prevalence and effectiveness throughout 2020, and the takedown operations may have just added on to that decline.