Trickbot: From dyre straits to most valuable Trojan

12. October 2017 Banking, Trojan 0
Trickbot: From dyre straits to most valuable Trojan

Trickbot is the new big player in Trojan town. It appeared at the end of 2016 and has since been successful enough to be distributed alongside Locky.

Functionality-wise, Trickbot is a regular trojan with a modular architecture. It can be used to pilfer into your computer data and intercept logins to banks or business sites. It share the same goals with Dridex and has been seen sharing the same infrastructure.

Emergence of Trickbot

Jason Reaves, from Fidelis, was the first to alert about this new trojan in October 2016.

Hasherezadefrom MalwareBytes, followed with this article.

In these posts, one point was clear, Trickbot had a strong link with the now extinct Dyre(za) trojan (its disappearance coincided with a raid targetting Russian hackers in November 2015).

Then, at some point in 2016, the Dyre crew came back to work and rebooted the franchise with Trickbot.

Both malwares shares the same code design and the same communication protocol. The only change concerns programming languages used: Dyre was written in C and Trickbot in C++ (with one module in Delphi and elements from Qt library).

Hasherezade interprets this change as follows:

TrickBot’s new modules are not written very well and they are probably still under development. The overall quality of the design is much lower than the quality of the earlier code.(…) Also, they make use of languages and libraries that are easier – Qt instead of native sockets for module.dll, Delphi language for Outlook.dll. Those changes may indicate some changes in the development team – either they gained new members that has been delegated to the new tasks or some of the previous members resigned and has been substituted by lower quality programmers.

Furthermore, Trickbot use an internal campaign ID (also called gtag) which was also a remnant of Dyre. Meaning, the bot is likely involving other parties (like in the Dridex distribution scheme).

Rising to the top

Trickbot was first seen with internal version 1000002. The latest version at the time of writing is 1000066. In one year, more than 60 revisions were made to the bot. Needless to say, the malware is under active development.

To illustrate this, the devs integrated two new modules recently:

The real push for Trickbot came after they partnered (around June) with the spam botnet Necurs. These campaigns being geo-targeted, bots are attacking specific banks mainly in First-World countries.

Since this change, the surge in popularity (and infections) of this trojan is clear as shown in these Google Trends graphics.

Statistics

I love stats, I’m sure you do too.

James S compiled data and created graphics concerning gtag and ports used in several configuration:

Key points of this data are:

  • Infrastructure reuse is frequent
  • All C&C servers are located in bulletproof hosting companies in Eastern Europe
  • Only two TCP ports are used: 443 and 449
  • 8 campaign exists with the following nicknames:
    • tmt2 (used only in first version)
    • tt0002 (most common)
    • notXX
    • serXXX (second in frequency, change numbers often)
    • mac1
    • kasXX
    • worm
    • tot1

Conclusion

Trickbot trojan is the rising star in the malware world this year. It’s still a work in progress, as can be seen by its module developments, but its showing real involvement from the developers.

The relation between Dridex and Trickbot crews is difficult to evaluate, but it seems both are following the same “don’t hack in Cyrillic countries” rule and that they don’t go after each other to control the market.

All in all, the future won’t be bright for online banking.