{"id":6137,"date":"2021-03-19T13:49:20","date_gmt":"2021-03-19T20:49:20","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6137"},"modified":"2024-04-26T13:20:50","modified_gmt":"2024-04-26T20:20:50","slug":"malicious-activity-report-trickbot-loader","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/","title":{"rendered":"Malicious Activity Report: Trickbot Loader"},"content":{"rendered":"<h3><strong>Author: Andreas Klopsch<\/strong><\/h3>\n<h3><strong>TLP:WHITE<\/strong><\/h3>\n<p>&nbsp;<\/p>\n<h3>Executive Summary<\/h3>\n<p>Recent activity from a Trickbot campaign targeting the insurance and legal sector<a href=\"#m82ojaewhujs\"><sup>1<\/sup><\/a> shows that the botnet is still a threat, despite U.S. Cyber Command\u2019s attempt to disrupt it in October 2020.<a href=\"#gyioyxxxolts\"><sup>2<\/sup><\/a> Given the potential impact of this threat, we are releasing this detailed report on Trickbot\u2019s functionality to provide our customers and security researchers with the knowledge to prepare for and defend from potential Trickbot-related threats.<\/p>\n<p>In this report, we describe Trickbot\u2019s packer and process execution chain, provide insight on identifiers generated by the malware, as well as detail its signature verification and persistence techniques. We include an explanation of the configuration and how it is decrypted during execution, along with an overview of the network flow and the capabilities of the command and control (C&amp;C) protocol.<\/p>\n<p>Trickbot uses string encryption, and so to support other researchers, our full report includes a script to decrypt strings embedded in the sample we analyzed.<\/p>\n<h3>Overview<\/h3>\n<p>Trickbot, first observed in 2016,<a href=\"#mqulp3gb6j0f\"><sup>3<\/sup><\/a> has transformed from a standard banking trojan into a highly modular loader used by financially-motivated cybercriminals, as well as by threat actors linked to nation state activities.<a href=\"#ye14v5t0ftbz\"><sup>4<\/sup><\/a> Trickbot is sold as malware-as-a-service (MaaS) and has been linked to multiple security events<a href=\"#y570h71g3ll0\"><sup>5<\/sup><\/a> in the past. The following timeline shows a list of events related to Trickbot:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-overview.jpg\" alt=\"\" width=\"960\" height=\"470\" class=\"aligncenter size-full wp-image-6686\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-overview.jpg 960w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-overview-300x147.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-overview-768x376.jpg 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 1: Timeline of published security events related to Trickbot<br \/>\n<\/em><\/p>\n<p>We have seen Trickbot-related indicators, as well as malspam campaigns distributing Trickbot in our own data sources. Since its first appearance in 2016, the malware authors behind Trickbot have developed different kinds of modules<a href=\"#lspdq5q1kewi\"><sup>6<\/sup><\/a> for capabilities such as:<\/p>\n<ul>\n<li>Stealing banking information,<\/li>\n<li>System\/network reconnaissance,<\/li>\n<li>Credential and user information harvesting,<\/li>\n<li>Network propagation, and<\/li>\n<li>Achieving persistence in a victim\u2019s environment.<\/li>\n<\/ul>\n<p>Trickbot is polymorphic, and as a result, the behavior and characteristics may differ between variants.<\/p>\n<h3>Analysis<\/h3>\n<p><strong>Initial Execution, Packer and Payload Injection<\/strong><\/p>\n<p>Sandbox analysis<sup>7<\/sup> shows that an Excel macro downloads the Trickbot payload, which masquerades as a PNG file from a malware distribution domain. Next, it executes the Trickbot payload via <em>rundll32.exe<\/em>. This executable already exists by default on Windows systems and is not dropped by the Excel document or the packer. The <em>rundll32.exe<\/em> process spawns a child process of itself that masquerades as a legitimate Windows tool but that injects the Trickbot payload into the 64-bit version of the Windows Error Reporting tool <em>wermgr.exe<\/em> via process hollowing.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-analysis.jpg\" alt=\"\" width=\"735\" height=\"662\" class=\"aligncenter size-full wp-image-6687\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-analysis.jpg 735w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-analysis-300x270.jpg 300w\" sizes=\"auto, (max-width: 735px) 100vw, 735px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 2: Trickbot process execution chain<\/em><\/p>\n<p>The Trickbot loader has an evasive packer that uses a variety of anti-analysis techniques to prevent researchers from debugging and diving into the packer itself. Since the focus of this paper is analyzing the behavior of the loader, we do not include an analysis of the packer itself; however, we did identify the following anti-analysis measures:<\/p>\n<ul>\n<li>SMulti-stage unpacking process,<\/li>\n<li>Junk instructions,<\/li>\n<li>Control flow obfuscation,<\/li>\n<li>Section hashing to detect software breakpoints, and<\/li>\n<li>Encryption\/decryption of code chunks prior to and after function-calling.<\/li>\n<\/ul>\n<h3>Obfuscation<\/h3>\n<p>Trickbot uses string encryption to hamper reverse engineering. The encrypted strings are embedded in an array, and each time one is decrypted, an offset is pushed as a parameter onto the stack to determine which string\/array element to decrypt. Figure 3 below provides an example of encrypted strings in a disassembler; we have placed the decrypted string next to each as a comment. The snippet in Figure 4 provides Python code for researchers to decrypt strings on their own.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-figure-3.jpg\" alt=\"\" width=\"969\" height=\"403\" class=\"aligncenter size-full wp-image-6688\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-3.jpg 969w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-3-300x125.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-3-768x319.jpg 768w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 3: Array of encrypted strings<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-figure-4.jpg\" alt=\"\" width=\"952\" height=\"351\" class=\"aligncenter size-full wp-image-6689\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-4.jpg 952w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-4-300x111.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-4-768x283.jpg 768w\" sizes=\"auto, (max-width: 952px) 100vw, 952px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-figure-5.jpg\" alt=\"\" width=\"943\" height=\"602\" class=\"aligncenter size-full wp-image-6690\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-5.jpg 943w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-5-300x192.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-5-768x490.jpg 768w\" sizes=\"auto, (max-width: 943px) 100vw, 943px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 4: Python code snippet for string decryption<\/em><\/p>\n<h3>ID Generation<\/h3>\n<p>Prior to communicating with its C&#038;C, Trickbot generates different kinds of identifiers, some of which are used to give the attackers information about the victim\u2019s system when they are exfiltrated via the C&#038;C protocol. We also believe that some of them are used to distinguish between different infections and\/or campaigns. We confirmed several identifiers:<\/p>\n<ul style=\"list-style-type:none;\">\n<li>\n<h3>Client ID<\/h3>\n<p>           Trickbot uses the client ID to identify the victim. First, the malware retrieves the computer name via the Win32 API GetComputernameW.8 It then appends \u201cW_\u201d and the operating system (OS) version information retrieved via GetVersionExW. Finally, it appends a randomly generated string with a length of 32 bytes. Our analysis system generated the following client ID:<br \/>\n           <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-client-id.jpg\" alt=\"\" width=\"893\" height=\"73\" class=\"size-full wp-image-6692\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-client-id.jpg 893w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-client-id-300x25.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-client-id-768x63.jpg 768w\" sizes=\"auto, (max-width: 893px) 100vw, 893px\" \/>\n        <\/li>\n<li>\n<h3>Adapter ID<\/h3>\n<p>            The malware generates a SHA256 hash of the local computer\u2019s network adapters, which is retrieved via GetAdaptersInfo. Finally, it hexlifies the generated hash. On our analysis system, the malware generated the following SHA256 value:<br \/>\n            <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-adapter-id.jpg\" alt=\"\" width=\"889\" height=\"90\" class=\"size-full wp-image-6693\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-adapter-id.jpg 889w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-adapter-id-300x30.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-adapter-id-768x78.jpg 768w\" sizes=\"auto, (max-width: 889px) 100vw, 889px\" \/>\n        <\/li>\n<li>\n<h3>Hard-Coded ID<\/h3>\n<p>            Trickbot embeds a four-digit number into the binary as an encrypted string, which is used for C&#038;C communication. The number is not identical for each binary. When Trickbot sends out the C&#038;C request to register the victim in the botnet, it appends this ID to the HTTPS request. The purpose of the identifier is unclear, but it is possible that the C&#038;C server uses it to distinguish among different versions of the malware. Researchers sometimes refer to this as a Build ID.<sup>9<\/sup> On our analysis system, the malware embedded the following hard-coded ID in the binary:<br \/>\n            <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-coded-id.jpg\" alt=\"\" width=\"878\" height=\"72\" class=\"size-full wp-image-6694\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-coded-id.jpg 878w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-coded-id-300x25.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-coded-id-768x63.jpg 768w\" sizes=\"auto, (max-width: 878px) 100vw, 878px\" \/>\n        <\/li>\n<li>\n<h3>WinVersion ID<\/h3>\n<p>            Trickbot determines the victim\u2019s Windows version by calling GetVersionExW and GetNativeSystemInfo. The first retrieves a structure named OSVERSIONINFOA, which holds enough relevant information to determine the Windows System. GetNativeSystemInfo retrieves the system\u2019s architecture. For our analysis system, Trickbot detected the following environment:<br \/>\n            <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-winversion-id.jpg\" alt=\"\" width=\"873\" height=\"71\" class=\"size-full wp-image-6695\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-winversion-id.jpg 873w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-winversion-id-300x24.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-winversion-id-768x62.jpg 768w\" sizes=\"auto, (max-width: 873px) 100vw, 873px\" \/>\n        <\/li>\n<\/ul>\n<h3>Configuration<\/h3>\n<p>Trickbot embeds an encrypted configuration file in XML format, which is obfuscated by two encryption layers. In the first layer, the config buffer is decrypted with a 16 byte XOR key. In the second layer, the XOR\u2019ed config buffer is decrypted via AES Cipher Block Chaining Mode<sup>10<\/sup> with a custom initialization vector.<\/p>\n<p>The AES key is generated by taking the top 32 bytes of the XOR\u2019ed config buffer and copying it into a separate buffer. Next, the malware generates a SHA256 hash of the 32 bytes and appends it to the end of that same buffer. The malware continues to generate SHA256 hashes of the whole buffer and appends the new SHA256 128 times. The final generated hash is the AES Key. In Figure 5 below, we provide a graphical overview of the configuration decryption routine. In the bottom box of the diagram, \u201cIV\u201d is an abbreviation for the custom initialization vector used for decryption.<\/p>\n<p>Trickbot generates the initialization vector in the same way, except that rather than taking the top 32 bytes, it skips the first 16 bytes.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-configuration.jpg\" alt=\"\" width=\"708\" height=\"658\" class=\"aligncenter size-full wp-image-6697\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-configuration.jpg 708w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-configuration-300x279.jpg 300w\" sizes=\"auto, (max-width: 708px) 100vw, 708px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 5: Graphic explaining config decryption layers<\/em><\/p>\n<p>When we extracted the configuration from the Trickbot loader, one of the things we found was a list of IP addresses with tags. The table below provides the meaning of the tags from the config:<\/p>\n<table style=\"width:100%\">\n<tr style=\"background: #241F21;color: #fff;\">\n<th style=\"padding-top: 10px;border: 1px solid gray;\">Tag<\/th>\n<th style=\"padding-top: 10px;border: 1px solid gray;\">Description<\/th>\n<th style=\"padding-top: 10px;border: 1px solid gray;\">Notes<\/th>\n<\/tr>\n<tr>\n<td>ver<\/td>\n<td>Binary version<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>gtag<\/td>\n<td>Campaign marker<\/td>\n<td>Changes from binary to binary<\/td>\n<\/tr>\n<tr>\n<td>srv<\/td>\n<td>C&#038;C server IP address<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>srva<\/td>\n<td>Fake C&#038;C server IP address<\/td>\n<td>This is later transformed into a valid C&#038;C server<\/td>\n<\/tr>\n<tr>\n<td>autorun<\/td>\n<td>Value, to determine which module to run on default<\/td>\n<td>In this case, run pwgrabber module<\/td>\n<\/tr>\n<\/table>\n<p>IP addresses embedded with the srva tag are addresses that do not contact a valid C&#038;C server but are deliberately added to confuse security researchers. During config parsing, Trickbot uses an algorithm to transform these into valid IP addresses.<\/p>\n<h3>Signature Verification<\/h3>\n<p>Trickbot uses PCS30 signature verification to check whether embedded or received resources are valid. For decryption, Trickbot uses the same XOR process as it used for the first step of AES key generation. The algorithm used to validate signatures is ECDSA_P384.<sup>11<\/sup><\/p>\n<p>We have confirmed that the analysis sample verifies the configuration files and the modules sent by the C&#038;C server but there could be additional fragments that it verified as well.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-figure-6.jpg\" alt=\"\" width=\"787\" height=\"396\" class=\"aligncenter size-full wp-image-6700\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-6.jpg 787w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-6-300x151.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-6-768x386.jpg 768w\" sizes=\"auto, (max-width: 787px) 100vw, 787px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 6: Hexdump of extracted ECC public key blob; used for signature verification<\/em><\/p>\n<h3>Persistence<\/h3>\n<p>The Trickbot loader will try to achieve persistence via task scheduling on the victim\u2019s system. The malware first creates a directory in the AppData\\Roaming folder. It will then drop an executable into this folder and set a scheduled task to run with the highest privileges possible on System Startup.<\/p>\n<p>Other reports state that the scheduled time differs between variants, just as there is variance in the tool that the malware masquerades as.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-figure-7.jpg\" alt=\"\" width=\"887\" height=\"687\" class=\"aligncenter size-full wp-image-6701\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-7.jpg 887w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-7-300x232.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-7-768x595.jpg 768w\" sizes=\"auto, (max-width: 887px) 100vw, 887px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 7: Screenshot of Task Scheduler in Windows with task created by Trickbot<\/em><\/p>\n<h3>C&#038;C Communication<\/h3>\n<p>The Trickbot loader communicates with its C&#038;C server over HTTPS. The different C&#038;C instructions are separated by a specific command ID, which is always embedded in the HTTPS request\/response that the server and client exchange with each other.<\/p>\n<p>Client-based and server-based commands can be differentiated because client-based commands are C&#038;C requests sent from the victim machine to the server. Researchers from Fortinet<sup>12,13<\/sup> analyzed the Trickbot botnet, which assisted with our analysis of C&#038;C communication.<\/p>\n<ul style=\"list-style-type:none;\">\n<li>\n<h3>Client-Based<\/h3>\n<p>           Apart from command 63, which uses HTTPS POST to exfiltrate data, all C&#038;C requests from clients are GET requests. They are sent in the following form:<\/p>\n<p>           <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-client-based.jpg\" alt=\"\" width=\"772\" height=\"68\" class=\"size-full wp-image-6703\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-client-based.jpg 772w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-client-based-300x26.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-client-based-768x68.jpg 768w\" sizes=\"auto, (max-width: 772px) 100vw, 772px\" \/><\/p>\n<p>           The gtag is an XML value in the config, and the client ID was previously generated by the binary from the operating system information and the username, as well as a randomly generated string. We were able to extract the following commands:<\/p>\n<table style=\"width:100%\">\n<tr style=\"background: #241F21;color: #fff;\">\n<th style=\"padding-top: 10px;border: 1px solid gray;\">Command ID<\/th>\n<th style=\"padding-top: 10px;border: 1px solid gray;\">Command<\/th>\n<th style=\"padding-top: 10px;border: 1px solid gray;\">Notes<\/th>\n<\/tr>\n<tr>\n<td>0<\/td>\n<td>Register bot<\/td>\n<td>Register bot in botnet<\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>Keep alive<\/td>\n<td>Stay idle, keep connection<\/td>\n<\/tr>\n<tr>\n<td>5<\/td>\n<td>Download module<\/td>\n<td>Request module from C&#038;C server<\/td>\n<\/tr>\n<tr>\n<td>10<\/td>\n<td>Log module\/command execution<\/td>\n<td>Also used for OS setting exfiltration<\/td>\n<\/tr>\n<tr>\n<td>14<\/td>\n<td>Log module execution result<\/td>\n<td>Sends logging messages<\/td>\n<\/tr>\n<tr>\n<td>23<\/td>\n<td>Update base config<\/td>\n<td>Update configuration<\/td>\n<\/tr>\n<tr>\n<td>25<\/td>\n<td>Update bot<\/td>\n<td>Update bot to newer version<\/td>\n<\/tr>\n<tr>\n<td>63<\/td>\n<td>Report captured traffic of InjectDll module<\/td>\n<td>InjectDll module is also used to steal banking information<\/td>\n<\/tr>\n<tr>\n<td>64<\/td>\n<td>Probably exfiltration<\/td>\n<td>Includes indications that this command is used for exfiltration<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>Capability to add boundaries14 to HTTP header (boundaries are often used when downloading or uploading files over HTTP\/HTTPS)<\/td>\n<\/tr>\n<\/table>\n<\/li>\n<li>\n<h3>Server-Based<\/h3>\n<p>           Responses received from the C&#038;C server are sent in the following format:<\/p>\n<p>           <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-server-based.jpg\" alt=\"\" width=\"771\" height=\"69\" class=\"size-full wp-image-6704\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-server-based.jpg 771w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-server-based-300x27.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-server-based-768x69.jpg 768w\" sizes=\"auto, (max-width: 771px) 100vw, 771px\" \/><\/p>\n<p>           We were able to identify the following instructions: <\/p>\n<table style=\"width:100%\">\n<tr style=\"background: #241F21;color: #fff;\">\n<th style=\"padding-top: 10px;border: 1px solid gray;\">Command ID<\/th>\n<th style=\"padding-top: 10px;border: 1px solid gray;\">Command<\/th>\n<th style=\"padding-top: 10px;border: 1px solid gray;\">Notes<\/th>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>Keep alive<\/td>\n<td>Stay idle and keep communication with client<\/td>\n<\/tr>\n<tr>\n<td>42<\/td>\n<td>Download and execute module<\/td>\n<td>Download a module and execute it<\/td>\n<\/tr>\n<tr>\n<td>43<\/td>\n<td>Related to RDP<\/td>\n<td>This command uses WINAPI calls related to Remote Desktop Protocol<\/td>\n<\/tr>\n<tr>\n<td>50<\/td>\n<td>Execute command<\/td>\n<td>Execute a single command delivered in the C&#038;C response<\/td>\n<\/tr>\n<tr>\n<td>62<\/td>\n<td>Download and inject module<\/td>\n<td>Download a specific module and inject it into process<\/td>\n<\/tr>\n<tr>\n<td>99<\/td>\n<td>Update bot<\/td>\n<td>Update bot with never version<\/td>\n<\/tr>\n<\/table>\n<\/li>\n<\/ul>\n<h3>Attack Chain Narrative<\/h3>\n<p>Trickbot is a very modular trojan and will therefore try to download specific modules depending on its configuration and the instructions issued by the actor.<\/p>\n<p>First, it tries to contact its C&#038;C server and issue a C&#038;C request with command ID 5, to download a module. We believe this command is intended to download the pwgrabber15 module, which is included in the AutoRun config tag, and is used to steal different kinds of passwords from an infected system. However, during our analysis, we were not able to fetch the payload because the C&#038;C server was already offline. The user-agent is hardcoded into the binary and decrypted via the string decryption algorithm we provided earlier in Figure 4 of Section 3.2.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-figure-8.jpg\" alt=\"\" width=\"823\" height=\"131\" class=\"aligncenter size-full wp-image-6706\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-8.jpg 823w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-8-300x48.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-8-768x122.jpg 768w\" sizes=\"auto, (max-width: 823px) 100vw, 823px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 8: Initial HTTPS GET request to download an additional module<\/em><\/p>\n<p>Next, the Trickbot loader fetches the victim\u2019s external IP address using one of multiple legitimate domains that offer this service. The following figure is an example of an HTTPS request to identify the IP address.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-figure-9.jpg\" alt=\"\" width=\"820\" height=\"161\" class=\"aligncenter size-full wp-image-6707\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-9.jpg 820w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-9-300x59.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-9-768x151.jpg 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 9: Identifying external ip via externalip[.]com<\/em><\/p>\n<p>Trickbot also checks whether the client is behind NAT and informs the C&#038;C server:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-figure-10.jpg\" alt=\"\" width=\"814\" height=\"183\" class=\"aligncenter size-full wp-image-6708\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-10.jpg 814w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-10-300x67.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-10-768x173.jpg 768w\" sizes=\"auto, (max-width: 814px) 100vw, 814px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 10: Informing C&#038;C server whether client is behind NAT<\/em><\/p>\n<p>Afterward, it attempts to register the bot via command 0 and tries to exfiltrate the following information:<\/p>\n<ul>\n<li>Windows version of victim\u2019s system,<\/li>\n<li>SHA256 value of adapter info, and<\/li>\n<li>External IP address<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-figure-11.jpg\" alt=\"\" width=\"814\" height=\"230\" class=\"aligncenter size-full wp-image-6709\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-11.jpg 814w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-11-300x85.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-11-768x217.jpg 768w\" sizes=\"auto, (max-width: 814px) 100vw, 814px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 11: Exfiltrating OS network settings and registering the botnet<\/em><\/p>\n<p>The complete registration command follows this pattern:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-attack-chain.jpg\" alt=\"\" width=\"801\" height=\"115\" class=\"aligncenter size-full wp-image-6710\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-attack-chain.jpg 801w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-attack-chain-300x43.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-attack-chain-768x110.jpg 768w\" sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/p>\n<p>After registration, Trickbot sends out logging messages to its respective C&#038;C server via command ID 14. The following two GET requests show that the binary tries to exfiltrate information about the execution environment. This includes the user executing the file and the path of files related to Trickbot.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-figure-12.jpg\" alt=\"\" width=\"807\" height=\"307\" class=\"aligncenter size-full wp-image-6711\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-12.jpg 807w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-12-300x114.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-12-768x292.jpg 768w\" sizes=\"auto, (max-width: 807px) 100vw, 807px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 12: Sending out logging messages to inform on module execution<\/em><\/p>\n<p>Since we are hijacking Trickbot\u2019s behavior, the file it tries to execute does not exist on the analysis system. As a result, it sends two other C&#038;C requests informing the server that the execution failed:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-111-figure-13.jpg\" alt=\"\" width=\"808\" height=\"258\" class=\"aligncenter size-full wp-image-6712\" srcset=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-13.jpg 808w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-13-300x96.jpg 300w, https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/threat-intelligence-111-figure-13-768x245.jpg 768w\" sizes=\"auto, (max-width: 808px) 100vw, 808px\" \/><\/p>\n<p style=\"text-align:center\"><em>Figure 13: Sending out logging messages to inform on module execution<\/em><\/p>\n<p>It first sends out a C&#038;C request with command ID 10 and the digit 62 appended immediately afterward. This informs the C&#038;C server that the next request will contain logging messages regarding the process for downloading and injecting a module.<\/p>\n<h3>Conclusion, Recommendations and Mitigation<\/h3>\n<p>This report provides security departments with a detailed analysis of Trickbot to proactively prepare against this type of threat. The insights into Trickbot\u2019s algorithms and configuration are intended to aid researchers in their analysis, and providing the C&#038;C protocol capabilities and persistence mechanism is intended to assist in detecting already existing Trickbot infections.<\/p>\n<p>In October 2020, a joint operation of law enforcement and tech companies attempted to take down the Trickbot botnet. The actor(s) behind Trickbot returned two months later in a campaign with newly developed modules, demonstrating they are able to recover quickly following a compromise of their infrastructure.<\/p>\n<p>We expect that Trickbot will continue to grow and evolve. In order to prevent, detect and mitigate threats regarding Trickbot, we recommend the following:<\/p>\n<ul>\n<li>Use properly updated endpoint protection systems. Trickbot is well known and security teams should stay up-to-date with the author\u2019s changes.<\/li>\n<li>Install a network security solution. BloxOne Threat Defense can prevent malware from contacting its C&#038;C for exfiltration.<\/li>\n<li>Implement malspam protection. Distribution via malspam attachments is a common attack vector for Trickbot. Always treat email attachments with caution. If unsure, contact your company\u2019s security team.<\/li>\n<li>The National Cyber Security Centre of the UK have collected a number of tips on how to deal with Trickbot: <a href=\"https:\/\/www.ncsc.gov.uk\/news\/trickbot-advisory\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.ncsc.gov.uk\/news\/trickbot-advisory<\/a><\/li>\n<\/ul>\n<h3><strong>Endnotes<\/strong><\/h3>\n<ol>\n<li><a href=\"https:\/\/www.csoonline.com\/article\/3605073\/trickbot-returns-with-campaign-against-legal-and-insurance-firms.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.csoonline.com\/article\/3605073\/trickbot-returns-with-campaign-against-legal-and-insurance-firms.html<\/a><\/li>\n<li><a href=\"https:\/\/www.schneier.com\/blog\/archives\/2020\/10\/us-cyber-command-and-microsoft-are-both-disrupting-trickbot.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.schneier.com\/blog\/archives\/2020\/10\/us-cyber-command-and-microsoft-are-both-disrupting-trickbot.html<\/a><\/li>\n<li><a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.trickbot\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.trickbot<\/a><\/li>\n<li><a href=\"https:\/\/threatpost.com\/lazarus-collaborates-trickbots-anchor-project\/151000\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/threatpost.com\/lazarus-collaborates-trickbots-anchor-project\/151000\/<\/a><\/li>\n<li><a href=\"https:\/\/www.heise.de\/security\/meldung\/Emotet-IT-Totalschaden-beim-Kammergericht-Berlin-4646568.html\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.heise.de\/security\/meldung\/Emotet-IT-Totalschaden-beim-Kammergericht-Berlin-4646568.html<\/a><\/li>\n<li><a href=\"https:\/\/blog.cyberint.com\/trickbot-malware-as-a-service\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/blog.cyberint.com\/trickbot-malware-as-a-service<\/a><\/li>\n<li><a href=\"https:\/\/app.any.run\/tasks\/03271d7b-a601-4bfb-9ee2-0e2c4e94a10b\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/app.any.run\/tasks\/03271d7b-a601-4bfb-9ee2-0e2c4e94a10b\/<\/a><\/li>\n<li>The computername embedded in the client id is a fake one. We want to prevent authors to hardenagainst our analysis machines\n<li><a href=\"https:\/\/fortinetweb.s3.amazonaws.com\/fortiguard\/research\/Trickbot%2C%20The%20Trick%20is%20On%20You%21%20presented.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/fortinetweb.s3.amazonaws.com\/fortiguard\/research\/Trickbot%2C%20The%20Trick%20is%20On%20You%21%20presented.pdf<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Block_cipher_mode_of_operation#Cipher_Block_Chaining_(CBC)\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/en.wikipedia.org\/wiki\/Block_cipher_mode_of_operation#Cipher_Block_Chaining_(CBC)<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/P-384\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/en.wikipedia.org\/wiki\/P-384<\/a><\/li>\n<li><a href=\"https:\/\/fortinetweb.s3.amazonaws.com\/fortiguard\/research\/Trickbot%2C%20The%20Trick%20is%20On%20You%21%20presented.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/fortinetweb.s3.amazonaws.com\/fortiguard\/research\/Trickbot%2C%20The%20Trick%20is%20On%20You%21%20presented.pdf<\/a><\/li>\n<li><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/deep-analysis-of-the-online-banking-botnet-trickbot\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.fortinet.com\/blog\/threat-research\/deep-analysis-of-the-online-banking-botnet-trickbot<\/a><\/li>\n<li><a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Content-Type\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Content-Type<\/a><\/li>\n<li><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/deep-analysis-of-trickbot-new-module-pwgrab\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.fortinet.com\/blog\/threat-research\/deep-analysis-of-trickbot-new-module-pwgrab<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: Andreas Klopsch TLP:WHITE &nbsp; Executive Summary Recent activity from a Trickbot campaign targeting the insurance and legal sector1 shows that the botnet is still a threat, despite U.S. Cyber Command\u2019s attempt to disrupt it in October 2020.2 Given the potential impact of this threat, we are releasing this detailed report on Trickbot\u2019s functionality to [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6734,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[555],"tags":[457,458,294,295],"class_list":{"0":"post-6137","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-malicious-activity-reports","8":"tag-insurance","9":"tag-legal","10":"tag-malspam","11":"tag-trickbot","12":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Malicious Activity Report: Trickbot Loader<\/title>\n<meta name=\"description\" content=\"Malicious Activity Report: Trickbot Loader. Recent activity from a Trickbot campaign targeting the insurance and legal sector1 shows that the botnet is still a threat, despite U.S. Cyber Command\u2019s attempt to disrupt it in October 2020.2 Given the potential impact of this threat, we are releasing this detailed report on Trickbot\u2019s functionality to provide our customers and security researchers with the knowledge to prepare for and defend from potential Trickbot-related threats.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malicious Activity Report: Trickbot Loader\" \/>\n<meta property=\"og:description\" content=\"Malicious Activity Report: Trickbot Loader. Recent activity from a Trickbot campaign targeting the insurance and legal sector1 shows that the botnet is still a threat, despite U.S. Cyber Command\u2019s attempt to disrupt it in October 2020.2 Given the potential impact of this threat, we are releasing this detailed report on Trickbot\u2019s functionality to provide our customers and security researchers with the knowledge to prepare for and defend from potential Trickbot-related threats.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-03-19T20:49:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"344\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Malicious Activity Report: Trickbot Loader\",\"datePublished\":\"2021-03-19T20:49:20+00:00\",\"dateModified\":\"2024-04-26T20:20:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/\"},\"wordCount\":2480,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-23.jpg\",\"keywords\":[\"insurance\",\"legal\",\"Malspam\",\"trickbot\"],\"articleSection\":[\"Malicious Activity Reports\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/\",\"name\":\"Malicious Activity Report: Trickbot Loader\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-23.jpg\",\"datePublished\":\"2021-03-19T20:49:20+00:00\",\"dateModified\":\"2024-04-26T20:20:50+00:00\",\"description\":\"Malicious Activity Report: Trickbot Loader. Recent activity from a Trickbot campaign targeting the insurance and legal sector1 shows that the botnet is still a threat, despite U.S. Cyber Command\u2019s attempt to disrupt it in October 2020.2 Given the potential impact of this threat, we are releasing this detailed report on Trickbot\u2019s functionality to provide our customers and security researchers with the knowledge to prepare for and defend from potential Trickbot-related threats.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-23.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-23.jpg\",\"width\":612,\"height\":344,\"caption\":\"Safety, Security, Lock, Locking, Digital Display\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/malicious-activity-reports\\\/malicious-activity-report-trickbot-loader\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Malicious Activity Reports\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/malicious-activity-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Malicious Activity Report: Trickbot Loader\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Malicious Activity Report: Trickbot Loader","description":"Malicious Activity Report: Trickbot Loader. Recent activity from a Trickbot campaign targeting the insurance and legal sector1 shows that the botnet is still a threat, despite U.S. Cyber Command\u2019s attempt to disrupt it in October 2020.2 Given the potential impact of this threat, we are releasing this detailed report on Trickbot\u2019s functionality to provide our customers and security researchers with the knowledge to prepare for and defend from potential Trickbot-related threats.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/","og_locale":"en_US","og_type":"article","og_title":"Malicious Activity Report: Trickbot Loader","og_description":"Malicious Activity Report: Trickbot Loader. Recent activity from a Trickbot campaign targeting the insurance and legal sector1 shows that the botnet is still a threat, despite U.S. Cyber Command\u2019s attempt to disrupt it in October 2020.2 Given the potential impact of this threat, we are releasing this detailed report on Trickbot\u2019s functionality to provide our customers and security researchers with the knowledge to prepare for and defend from potential Trickbot-related threats.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/","og_site_name":"Infoblox Blog","article_published_time":"2021-03-19T20:49:20+00:00","article_modified_time":"2024-04-26T20:20:50+00:00","og_image":[{"width":612,"height":344,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Malicious Activity Report: Trickbot Loader","datePublished":"2021-03-19T20:49:20+00:00","dateModified":"2024-04-26T20:20:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/"},"wordCount":2480,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg","keywords":["insurance","legal","Malspam","trickbot"],"articleSection":["Malicious Activity Reports"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/","name":"Malicious Activity Report: Trickbot Loader","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg","datePublished":"2021-03-19T20:49:20+00:00","dateModified":"2024-04-26T20:20:50+00:00","description":"Malicious Activity Report: Trickbot Loader. Recent activity from a Trickbot campaign targeting the insurance and legal sector1 shows that the botnet is still a threat, despite U.S. Cyber Command\u2019s attempt to disrupt it in October 2020.2 Given the potential impact of this threat, we are releasing this detailed report on Trickbot\u2019s functionality to provide our customers and security researchers with the knowledge to prepare for and defend from potential Trickbot-related threats.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-23.jpg","width":612,"height":344,"caption":"Safety, Security, Lock, Locking, Digital Display"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-activity-reports\/malicious-activity-report-trickbot-loader\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Malicious Activity Reports","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/malicious-activity-reports\/"},{"@type":"ListItem","position":4,"name":"Malicious Activity Report: Trickbot Loader"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6137"}],"version-history":[{"count":12,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6137\/revisions"}],"predecessor-version":[{"id":6824,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6137\/revisions\/6824"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6734"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}