As per a joint statement of the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), one of the most widespread and powerful forms of malware, Trickbot malware, is now being used in spear-phishing campaigns in an attempt to infect PCs.

Initially employed as a bank Trojan, Trickbot is now one of the most powerful tools available to cybercriminals who can gain remote access to infected machines to deliver their own malware, including ransomware.

The malicious e-mail includes a hyperlink that redirects users to a website hosted on a compromised server. The victims are asked to click on a photograph to see proof of a traffic violation. After doing so, they actually download a JavaScript file which, as soon as it’s opened, connects to a command and management server which will download Trickbot onto their system.

According to the two agencies, Trickbot allows hackers to steal victims’ sensitive information by creating a backdoor onto Windows machines. Other versions of Trickbot, however, are capable of spreading across entire networks.

TrickBot uses person-in-the-browser attacks to steal information, such as login credentials. Additionally, some of TrickBot’s modules spread the malware laterally across a network by abusing the Server Message Block (SMB) Protocol. TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT&CK framework, from actively or passively gathering information that can be used to support targeting, to trying to manipulate, interrupt, or destroy systems and data.


Due to its modular nature, Trickbot is highly customizable. This means cybercriminals can use TrickBot to either include other malware, such as Ryuk and Conti ransomware, or serve as an Emotet malware downloader. What’s more, Trickbot can also be used to exploit infected machines for cryptomining.

MITRE ATT&CK enterprise techniques used by TrickBot

Last October, Microsoft announced that it targeted Trickbot to combat ransomware ahead of U.S. Elections. The tech giant revealed that it has taken action against the botnet where it has disrupted its key infrastructure. Despite the efforts, TrickBot survived the takedown attempt.

The Trickbot malware remains a powerful tool for cybercriminals and a clear danger for enterprises and organizations of all sizes, therefore implementing a proper cybersecurity program is vital.

When it comes to maintaining the security, integrity, and accessibility of the data and systems of every organization, good patch management is a crucial aspect and the process should be as thorough as possible. The more you keep up with your patching and update all your critical (and non-critical) systems, the less likely it is that your company will be compromised.

Ryuk Ransomware: Origins, Operation Mode, Mitigation

Ryuk Ransomware Now Self-Spreads to Other Windows LAN Devices

Emotet and Trickbot Banking Trojans Acquire Internet Worm Capabilities

Leave a Reply

Your email address will not be published. Required fields are marked *