TrickBot

Overview

TrickBot was one of the most sophisticated modular banking trojans that evolved into a major initial access broker for ransomware operations. After multiple law enforcement takedowns and internal issues, the TrickBot operation wound down in 2024. Many of its developers and affiliates migrated to other operations.

Also Known As

Trickster, TrickLoader, TheTrick

How It Spreads

• • Malspam campaigns with Office documents
• • Emotet malware delivering TrickBot
• • Exploit kits
• • Network propagation using EternalBlue
• • Compromised websites

What It Does

• • Stole banking credentials via web injection
• • Provided access for Ryuk and Conti ransomware
• • Spread through networks using multiple modules
• • Harvested credentials from browsers and applications
• • Collected Active Directory information
• • Disabled Windows Defender and security tools

Target Platforms

Windows 7, Windows 10, Windows 11

Detection Tips

• • Monitor for TrickBot persistence in scheduled tasks
• • Detect web injection behavior in browser processes
• • Alert on attempts to disable Windows Defender
• • Watch for lateral movement using EternalBlue
• • Monitor for gtag parameters in C2 communications

MITRE ATT&CK Techniques

T1185, T1055, T1003, T1562.001, T1210