Trojan.TrickBot

Short bio

Trojan.TrickBot is Malwarebytes’ detection name for a banking Trojan targeting Windows machines. Trojan.TrickBot is designed to steal credentials from the customers of many large banks and comes in modules accompanied by a configuration file. Each module has a specific task like gaining persistence, propagation, stealing credentials, encryption, and so on. The C&Cs are set up on hacked wireless routers.

Symptoms

Trojan.TrickBot gains persistence by creating a Scheduled Task.

Trickbot scheduled task

Type and source of infection

Trojan.TrickBot focuses on stealing banking information.
Trojan.TrickBot uses several methods of propagation including exploit kits, email, using infected attachments, as well as embedded URLs, and the Microsoft Windows vulnerability EternalBlue. Trojan.TrickBot is also seen as a secondary infection done by Trojan.Emotet.

Aftermath

Due to the way Emotet  uses the EeternalBlue vulnerability to spread through a company’s network, any infected machine on the network will re-infect machines that have been previously cleaned when they rejoin the network. Therefore, IT teams need to isolate, patch, and remediate each infected system one-by-one. This can be a long and painstaking process.

Protection

Malwarebytes protects users from Trojan.TrickBot by using real-time protection.

block Trojan.TrickBot

Malwarebytes blocks Trojan.TrickBot

Business remediation

Malwarebytes can detect and remove Trojan.TrickBot on business endpoints without further user interaction. But to be effective on networked machines, you must first follow these steps:

  1. Identify the infected machine(s).
  2. Disconnect the infected machines from the network.
  3. Patch for Eternal Blue.
  4. Disable Administrative Shares.
  5. Remove the Emotet Trojan.
  6. Change account credentials.

Identifying the infected machines

If you have unprotected endpoints/machines, you can run Farbar Recovery Scan Tool (FRST) to look for possible Indicators of Compromise (IOC). Besides verifying an infection, FRST can also be used to verify removal before bringing an endpoint/machine back into the network.

Disabling Administrative Shares

Windows server shares by default install hidden share folders specifically for administrative access to other machines. The Admin$ shares are used by Emotet once it has brute forced the local administrator password. A file share sever has an IPC$ share that Emotet queries to get a list of all endpoints that connect to it. These AdminIP shares are normally protected via UAC, however, Windows will allow the local administrator through with no prompt.

The most recent Emotet variants use C$ with the Admin credentials to move around and re-infect all the other endpoints.

Repeated re-infections are an indication the worm was able to guess or brute force the administrator password successfully. Please change all local and domain administrator passwords.

It is recommended to disable these Admin$ shares via the registry, as discussed here. If you do not see this registry key, it can be added manually and set up to be disabled.

To remove the Emotet Trojan using Malwarebytes business products, follow the instructions below.

How to remove Trojan.TrickBot with Malwarebytes Endpoint Protection

  1. Go to the Malwarebytes Cloud console.
  2. To allow you to invoke a scan while the machine is off the network, go to Settings > Policies > your policy > General.
  3. Under Endpoint Interface Options, turn ON:
    1. Show Malwarebytes icon in notification area
    2. Allow users to run a Threat Scan (all threats will be quarantined automatically)
  4. Temporarily enable Anti-Rootkit scanning for all invoked threat scans.
    Go to Settings > Policies > your policy > Endpoint Protection > Scan Options
  5. Set Scan Rootkits to ON.
    MBEP prepare scan
  6. Once the endpoint has been updated with the latest policy changes:
    1. Take the client off the network
    2. From the system tray icon, run an Anti-Rootkit threat scan.
      MBEP start scan

If you have infected machines that are not registered endpoints in Malwarebytes Endpoint Protection, you can remove Emotet with our Breach Remediation tool (MBBR).

For detailed instructions on how to remediate this infection using MBBR or Malwarebytes Endpoint Security (MBES), please have a look at our support document on how to protect your network from Emotet Trojan.

Home remediation

Malwarebytes can detect and remove Trojan.Trickbot without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Traces/IOCs

Trojan Trick bot typically creates a folder under %APPDATA%\Roaming to park its modules:

Examples:

%APPDATA%\Roaming\winapp\Modules

%APPDATA%\Roaming\TeamViewer\Modules

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language