Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент TrickBot
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
TrickBot
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

TrickBot

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: CrowdStrike Wizard Spider October 2020)
ID: S0266
Associated Software: Totbrick TSPY_TRICKLOAD
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 17 Oct 2018
Last Modified: 01 Oct 2021

Associated Software Descriptions
Name Description
Totbrick (Citation: Trend Micro Totbrick Oct 2016) (Citation: Microsoft Totbrick Oct 2017)
TSPY_TRICKLOAD (Citation: Trend Micro Totbrick Oct 2016)

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

TrickBot collects the users of the system.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Trickbot Nov 2018)
.003 Account Discovery: Email Account

TrickBot collects email addresses from Outlook.(Citation: Trend Micro Trickbot Nov 2018)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.(Citation: S2 Grupo TrickBot June 2017)(Citation: Cyberreason Anchor December 2019)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

TrickBot establishes persistence in the Startup folder.(Citation: ESET Trickbot Oct 2020)
Enterprise T1110 .004 Brute Force: Credential Stuffing

TrickBot uses brute-force attack against RDP with rdpscanDll module.(Citation: ESET Trickbot Oct 2020)(Citation: Bitdefender Trickbot March 2020)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers. (Citation: Bitdefender Trickbot VNC module Whitepaper 2021)
.003 Command and Scripting Interpreter: Windows Command Shell

TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.(Citation: TrendMicro Trickbot Feb 2019)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.(Citation: Trend Micro Trickbot Nov 2018)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.(Citation: Trend Micro Trickbot Nov 2018)(Citation: Cyberreason Anchor December 2019)(Citation: Bitdefender Trickbot VNC module Whitepaper 2021)
.005 Credentials from Password Stores: Password Managers

TrickBot can steal passwords from the KeePass open source password manager.(Citation: Cyberreason Anchor December 2019)

Enterprise T1132 .001 Data Encoding: Standard Encoding

TrickBot can Base64-encode C2 commands.(Citation: Cyberreason Anchor December 2019)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.(Citation: Fidelis TrickBot Oct 2016)Newer versions of TrickBot have been known to use `bcrypt` to encrypt and digitally sign responses to their C2 server. (Citation: Bitdefender Trickbot C2 infra Nov 2020)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

TrickBot can disable Windows Defender.(Citation: Trend Micro Trickbot Nov 2018)
Enterprise T1056 .004 Input Capture: Credential API Hooking

TrickBot has the ability to capture RDP credentials by capturing the CredEnumerateA API(Citation: TrendMicro Trickbot Feb 2019)

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

TrickBot used COM to setup scheduled task for persistence.(Citation: ESET Trickbot Oct 2020)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

TrickBot leverages a custom packer to obfuscate its functionality.(Citation: S2 Grupo TrickBot June 2017)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware(Citation: TrendMicro Trickbot Feb 2019)
.002 Phishing: Spearphishing Link

TrickBot has been delivered via malicious links in phishing e-mails.(Citation: Cyberreason Anchor December 2019)

Enterprise T1542 .003 Pre-OS Boot: Bootkit

TrickBot can implant malicious code into a compromised device's firmware.(Citation: Eclypsium Trickboot December 2020)
Enterprise T1055 .012 Process Injection: Process Hollowing

TrickBot injects into the svchost.exe process.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Totbrick Oct 2016)(Citation: Microsoft Totbrick Oct 2017)(Citation: Cyberreason Anchor December 2019)
Enterprise T1090 .002 Proxy: External Proxy

TrickBot has been known to reach a command and control server via one of nine proxy IP addresses. (Citation: Bitdefender Trickbot C2 infra Nov 2020) (Citation: Bitdefender Trickbot VNC module Whitepaper 2021)
Enterprise T1021 .005 Remote Services: VNC

TrickBot has used a VNC module to monitor the victim and collect information to pivot to valuable systems on the network (Citation: Trickbot VNC module July 2021)(Citation: Bitdefender Trickbot VNC module Whitepaper 2021)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

TrickBot creates a scheduled task on the system that provides persistence.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Totbrick Oct 2016)(Citation: Microsoft Totbrick Oct 2017)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

TrickBot has come with a signed downloader component.(Citation: Cyberreason Anchor December 2019)
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.(Citation: Trend Micro Trickbot Nov 2018)(Citation: Cyberreason Anchor December 2019) Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.(Citation: TrendMicro Trickbot Feb 2019)
.002 Unsecured Credentials: Credentials in Registry

TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key (Citation: TrendMicro Trickbot Feb 2019)

Enterprise T1204 .002 User Execution: Malicious File

TrickBot has attempted to get users to launch malicious documents to deliver its payload. (Citation: TrendMicro Trickbot Feb 2019)(Citation: Cyberreason Anchor December 2019)
Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

TrickBot has used printf and file I/O loops to delay process execution as part of API hammering.(Citation: Joe Sec Trickbot)

Groups That Use This Software
ID Name References
G0102 Wizard Spider

(Citation: CrowdStrike Grim Spider May 2019) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: Sophos New Ryuk Attack October 2020) (Citation: CrowdStrike Wizard Spider October 2020)

G0092 TA505

(Citation: Proofpoint TA505 Sep 2017) (Citation: IBM TA505 April 2020)

References

  1. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  2. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  3. Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.
  4. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  5. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  6. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
  7. Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
  8. Ionut Illascu. (2021, July 14). Trickbot updates its VNC module for high-value targets. Retrieved September 10, 2021.
  9. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  10. Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021.
  11. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  12. Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021.
  13. Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.
  14. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  15. Tudorica, R., Maximciuc, A., Vatamanu, C. (2020, March 18). New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong. Retrieved March 15, 2021.
  16. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  17. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  18. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  19. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  20. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  21. Liviu Arsene, Radu Tudorica. (2020, November 23). TrickBot is Dead. Long Live TrickBot!. Retrieved September 28, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.