The Bedel Security Blog

What You Need to Know About TrickBot

Written by Brian Petzold | Mar 15, 2019

 

Yesterday MS-ISAC released a document summarizing the capabilities of the TrickBot malware. TrickBot focuses on obtaining consumer financial credentials, so should be a concern for all financial institutions. This week, we will look at how TrickBot is spread, what TrickBot does, and what your institution can do about it.

 

How Does TrickBot Spread?

TrickBot is a modular banking trojan, meaning that it is malicious software that usually gets delivered inside of a document that appears legitimate and is received via an email message. The document often appears to be an invoice from a known accounting or financial firm. If a user opens the document and has the ability to automatically run macros turned off, the document will attempt to trick the user into turning macros back on. Once the macro runs, the malware may try to spread to other computers on the network using vulnerabilities in the SMB protocol (the protocol used by Windows to enable file and printer sharing).

 

What Does TrickBot Do?

Once established on a computer, TrickBot will try to shut down any antivirus software and will then reach out to a command and control (C2) server on the Internet for further instructions. The C2 server will send additional software to TrickBot which will then be used to try to steal credentials from online banking sessions. It steals credentials either by redirecting a session to a fake banking server or by harvesting credentials from the login prompts on the banking site web form. Note that both of these methods have the ability to intercept and use multi-factor authentication (MFA) responses.

TrickBot also has other tricks up its sleeve and is continuously updated with more functionality. It can steal email credentials from Outlook and can also steal system information including what software is running, what files are on the system, and what other systems are on the network.

 

What Can We Do About It?

The MS-ISAC communication contains many recommendations regarding steps to take to protect against MS-ISAC. We will focus on the highlights and add a few:

  • Institutions should continue to stress the importance to their employees and customers of not clicking on links or opening documents attached to unexpected emails.
  • Systems should be configured to not automatically run macros that are not digitally signed.
  • Institutions should ensure that antivirus software is installed and kept up to date.
  • To hamper the internal spread of TrickBot, institutions should ensure that the SMB vulnerabilities from 2017 have been patched on all systems (MS17-010).
  • Institutions should also implement DMARC, an email control that can minimize incoming spam into your institution.
  • Employees should not have local administrator privileges on their systems.
  • Institutions should ensure that their online banking portals can detect, analyze, and block suspicious behaviors that such as a session IP addresses changing to a different geographic location.

If you have any further questions on TrickBot reach out to us at support@bedelsecurity.com. If you'd like more hands on help with Threat Intelligence, User Awareness Testing and Training, or Risk Management check out our CySPOTâ„¢ Modules available. Or check out these other helpful articles on related topics!

 

Related Articles: