If you follow cybersecurity news at all, you’ve probably heard of Trickbot. But what is it? Is it malware? Is it spyware? A botnet? A trojan? A hacker group? Trickbot represents all of the above and is one of the most prolific and dangerous malware toolkits in the world due to its role in high stakes ransomware attacks. Trickbot was first spotted in the wild in 2016 as a banking trojan designed to steal banking credentials. Trickbot quickly evolved to become a multipurpose, modular malware available to cybercriminals as a powerful malware-as-a-service offering. Trickbot offers an expansive suite of tools to conduct a myriad of illegal cyber activities. Trickbot is particularly useful for attackers because it provides an effective tool for every stage of the cyber kill chain.

Wizard Spider, a Russian hacker group allegedly runs Trickbot and also built a massive botnet. The Trickbot botnet is believed to have over a million zombie computers operating out of Eastern Europe, including Russia, Ukraine, and Belarus. This Trickbot infrastructure of botnet and malware enables cybercriminals worldwide to engage in credential theft, data exfiltration, and ransomware attacks. Since 2018, Trickbot has been discovered in both large and small organizations across the globe, but primary targets are high value corporations and industries in the United States, Canada, Europe, and Australia.

As with most malware, Trickbot is often deployed with a phishing email crafted to trick users into opening a malicious file attachment or click a link to a compromised website. Trickbot can also be deployed via insecure SMB or RDP protocols or as a secondary payload from another malware such as Emotet. Once Trickbot is launched in an endpoint, the possibilities are endless. Attackers often use Trickbot to install popular reconnaissance tools such as Empire and Cobalt Strike. These tools are typically used in combination to gather information about the network, including users, groups, email addresses, passwords, password hashes, local files and file extensions, OS versions, IP addresses, and other relevant information. After enumerating computers and network devices, Trickbot can steal login credentials, move laterally, establish scheduled tasks for persistence, communicate with command and control servers, modify registry keys, exfiltrate data, drop Ryuk ransomware, and other payloads. And that’s just the tip of the iceberg. Trickbot can also disable Windows Defender, detect and evade antivirus sandboxes, masquerade as native system processes, run in memory, infect a device’s firmware, make API calls, obfuscate its code to evade network defenses, and more.

At one point, Microsoft successfully disabled a large part of the Trickbot infrastructure, but Trickbot has resurfaced and rebuilt its operation in recent years. Trickbot has evolved into one of the most prolific malware operations on the planet, and in combination with Emotet and Ryuk ransomware has re-emerged as a formidable threat to public and private sector security and critical infrastructure security. Ransomware is now a multi-billion dollar industry, and Trickbot malware is one of the keys to success for dangerous ransomware operators including Ryuk and Conti.


So how do we defend against Trickbot?

1. Security training for all employees

Trickbot primarily relies on phishing and spearphishing campaigns to infect endpoints. When unsuspecting employees click malicious links, they are effectively bypassing whatever security controls an organization has in place and opening the door for Trickbot to create havoc and avoid detection. User security training is an essential component in developing and maintaining an effective security program for businesses large and small. Employees should be trained on their role in security, cybersecurity best practices, and most importantly, how to spot phishing emails and social engineering tactics. Make sure employees know who to contact in the case of a security incident or suspicious activity on an endpoint and have a policy in place that specifies employees must report suspicious emails to designated IT, security personnel or department.

2. Monitor your endpoints, SMB traffic and RDP logs

A signature tactic of Trickbot is scanning to find open and vulnerable SMB ports and manipulating SMB and RDP ports to act on objectives. Disable SMB and RDP ports if unnecessary and not used in the network. Otherwise, make sure all SMB traffic is internal. SMB traffic should never be outbound over the internet. Monitor your endpoints for unusual network connections, process creations, and commandline activity that may reveal Trickbot artifacts or suspicious chain of events in an environment.

3. Regular antivirus, operating systems, and applications updates

Timely Windows updates provide the best protection against the latest identified threats and vulnerabilities. You should patch operating systems, software, and firmware as soon as manufacturer updates are released. Be sure to use antivirus software and, if feasible, implement a formalized patch management program.

4. Multifactor authentication

You can improve access control significantly with multifactor authentication and mitigate the impact of stolen login credentials. MFA would require an additional authentication factor such as a smart card, entering a PIN on a smartphone, Yubikey, or biometric fingerprint to access network resources. Also don’t forget to use complex passwords and change them regularly!

5. Follow cybersecurity best practices

Trickbot can be mitigated by following NIST, CIS best practices including network segmentation and segregation, least privilege, application and access control, proper firewall configuration, disabling unnecessary ports, services, and servers, system backups stored offline, centralized endpoint and network monitoring. These prevention steps will help protect a wide range of organizations from advanced malware such as Trickbot.