Trickbot is a malware that started life as a relatively straightforward banking trojan. However, as with most malware, it has evolved over the years and can now be used to perpetrate various types of malware attacks. Because of its modular, adaptive nature, this well-known threat might be with us for some time still. Understanding what Trickbot is and what attack vectors it’s likely to use is key to learn how to protect your organization against Trickbot.
What is TrickBot? How Does it Work?
As mentioned, TrickBot is no longer just one type of malware. As a trojan, it was relatively effective at posing as legitimate software that would then steal sensitive banking information as well as acting as a dropper for additional malware.
TrickBot’s initial delivery typically comes from malspam campaigns that convince recipients to download additional malware (either via a download link or attachment). Subsequently, it abuses the Server Message Block (SMB) Protocol to spread laterally throughout a network.
Adversaries are tricking users using typical email spoofing and phishing techniques that employ social engineering. Infected attachments are also usually in commonly used formats, such as Microsoft Word.
It mainly operates as a man-in-the-browser (MiTB) agent to steal a victim’s online banking login credentials, credit card details, or any other information it can get. The malware’s modular design means that the adversaries can continuously alter and extend it to refine its capabilities to deceive existing countermeasures. Since 2019, it has been increasingly detected working as a primer for eventual Ryuk ransomware infections.
In 2020, Microsoft’s Digital Crime Unit as well as U.S. authorities launched a massive coordinated operations to analyze and disrupt the TrickBot botnet. Although multiple servers were shut down and Microsoft claims to have eliminated 94% of Trickbot’s critical operational infrastructure, there’s no reason to believe this botnet will not adapt once again and continue to threaten the security of individuals and organizations alike.
How to Protect Against Trickbot and Mitigate Harm?
As TrickBot still heavily relies on old-school social engineering and phishing techniques, the obvious way to proactively prevent infections is training and awareness. Unless sophisticated DNS spoofing or IP hijacking is used, email recipients should always ignore emails with any tell-tale signs, such as mismatched domain names, foreign languages, suspicious outbound links, etc.
Phish Scale is one example of a business-focused phishing education and prevention paradigm effective at teaching these skills. Drafting and distributing an official policy that outlines handling and reporting suspicious mail is non-negotiable.
You can use advanced spoofing prevention protocols to more accurately verify and authenticate domains and email addresses. To ensure they are from legitimate and approved sources, consider implementing the following tools:
- Sender Policy Framework (SPF)
- Domain-based Message Authentication, Reporting and Conformance (DMARC)
- DomainKeys Identified Mail (DKIM)
- Sender ID (SID)
At the very least, an email gateway that detects known malspam indicators should be in place. This includes suspicious domains, subject lines, and content.
For some organizations, implementing strict spam filtering is difficult because external communications might be an integral part of their operations. However, you should also consider the following precautions:
- Only allow mail from whitelisted domains
- Block email from domains registered within 30 days or less
At the very least, you should flag incoming mail from external sources as potentially dangerous, perhaps with some threat-level distinctions.
What if an Attack has Already Taken Place?
Quick, efficient incident response (IR) is often the difference between emerging relatively unscathed or a multi-million dollar disaster. You should aim most containment efforts for responding to a TrickBot intrusion at stopping the exfiltration of information or lateral spread of the malware. Saying that, here are mitigating steps you can take if you suspect a TrickBot incident has occurred:
- Disable internet access at the affected endpoint, site, server.
- Isolate, quarantine, and shut down the affected system from other internal network endpoints.
- Closely monitor or block SMB communication between machines.
- Take remedial actions, including launching clean VLANs, network-wide password reset, and apply host-based isolation and intrusion protection.
Importantly, don’t login into infected systems using domain or shared local administrator accounts as TrickBot excels at stealing access credentials.