IV. History of Trickbot
Trickbot is a persistent cyber weapon that uses a variety of holes in Windows programs such as Microsoft Office and Outlook to infiltrate Windows computer networks and spread malware from computer to computer. Trickbot these days is typically a secondary infection or second wave which comes after a computer has been infected with Emotet. In fact, these days, it can be hard to tell where Emotet stops and Trickbot starts as they both use very similar tools. The biggest difference between them is that Trickbot now comes with Eternal Blue and other NSA hacking tools to help it spread across a network from computer to computer. Once silently downloaded from the Command and Control server, Trickbot moves laterally through the Windows computer network, often using the Microsoft Outlook Email Manager to gain passwords and take control over the entire network. Due to the way Trickbot uses the NSA Eternal Blue vulnerability to spread through a company’s network, any infected machine on the network will re-infect machines that have been previously cleaned when they rejoin the network.
Trickbot was first noticed in October 2016. However, an earlier version of Trickbot, called Drye (also known as Dyreza), was in existence two year earlier, in June 2014. Drye in turn evolved from Zues which infected nearly 4 million computers in the US in 2009 – using many of the same fake email and download techniques used by Drye, Emotet and Trickbot.
Like many other NSA-based cyber weapons, Trickbot uses SSL to communicate with remote Command and Control servers allowing the hackers to load additional malware onto the Windows computer networks. My prior analysis of the IP addresses of these Command and Control servers confirmed that the vast majority of these servers are located in the United States. This indicates that the hackers are also located in the US.
Because Trickbot actively communicates with Command and Control servers over time, Trickbot is not an isolated weapon in a single attack. Rather, Trickbot is simply the second phase in a process of information gathering and password stealing that over a period of months allowed hackers to gain control over a victim’s computer network.
Because Trickbot is able to move laterally, it can quickly turn one infected computer into a thousand infected computers. https://www.forbes.com/sites/daveywinder/2019/07/31/windows-10-warning-250m-account-takeover-trojan-disables-windows-defender/#70de1e886fef
Trickbot is particularly fond of Windows 10 computers. Here is a quote from a July 31, 2019 Forbes article: “Trickbot is not a new threat, but it is an evolving one. The latest twist of the banking Trojan knife as far as Windows 10 users are concerned is the addition of new methods to not only evade but actually disable Windows Defender security protection…
A study on the relationship between Emotet and Trickbot found that it only took 20 minutes from the time Emotet inficted a computer to the time Trickbot was downloaded to the computer. https://unit42.paloaltonetworks.com/unit42-malware-team-malspam-pushing-emotet-trickbot/
We will review how Trickbot spreads from computer to computer in a later section of this report.