TrickBot explained

This banking trojan emerged in 2016 with an intention to steal users' credentials and banking information...


It was back in 2016 when the TrickBot trojan emerged on the Internet with the idea to steal users’ credentials and banking information. That was six years ago, and these days it has evolved and is more powerful than ever. Meaning, you should be careful not to get infected. And that’s what this article is all about – to help you stay safe. Read on for details…

How does TrickBot work?

Like many other trojans, TrickBot relies on malicious links and attachments that are spread around the Internet in spear-phishing attacks. These tend to be well-crafted emails, written so that they don’t raise the victim’s suspicion. Everything looks cool until you click on a link or open the attachment when TrickBot Infects your device.

Its creators made it super-powerful, envisioning offering it through the malware-as-a-service (MaaS) model. In that sense, TrickBot can steal login credentials, harvest personal information, and spread itself across the network. What’s more, it can even disable Windows Defender’s real-time monitoring, relying on the same technology that made Emotet “prosper.”

Like that’s not enough, it can also be used for the distribution of ransomware such as Ryuk and Conti.

The typical scenario

Usually, the scenario goes like this:

  1. An unsuspecting victim clicks to open an attachment which is a Microsoft Office document that contains the malicious code.
  2. The code downloads the malware, providing hackers with access to the victim’s system.
  3. TrickBot is then downloaded to provide hackers with information further so they could decide if they want to continue targeting the infected system. At this stage, TrickBot also acquires all the permissions it needs to open the gates for Ryuk.
  4. If the hacker decides so, Ryuk is downloaded which can effectively lock the victim out of their own system.
  5. A ransom is presented to the victim.

Yes, it’s super scary.

The looming threat

Considered to be one of the most notorious pieces of malware, TrickBot has been a pain in the but of security experts from Microsoft, US Cyber Command, and cybersecurity companies — all of which have to beat it. According to some estimates, there are more than 1 million computers that are now controlled by TrickBot, though hackers may not use all the privileges to execute attacks.

Arguably the most notorious case was a ransomware attack to Universal Health Services (UHS) in September 2020, when hackers used TrickBot to deliver Ryuk, causing UHS IT systems to go offline.

How can you protect yourself from TrickBot?

The problem with TrickBot is that you may already have it, but you’re not aware of that. So first, you should check whether your computer is experiencing signs of malware, like whether it’s slower than usual and that it doesn’t have anything to do with the device update (which can also be responsible for slowing it down).

If you clicked on some link in the email or opened an attachment, there is a chance that you got infected. In order to prevent any further damage, you should first disconnect your computer from the Internet and then scan it with antivirus.

Also, go to the app list and see if you notice something suspicious, like an app you don’t recall installing. Do the same with browser extensions and also reinstall your browser.

It is also advisable to change all your passwords and enable two-factor authentication everywhere. This way, even if someone gets ahold of your credentials, he/she won’t be able to do much with it.

The best advice we can give you is to “think before you click.” Remember that TrickBot, and a few other malware, are made to distribute themselves automatically – so you can get them from a trusted friend. He/she won’t even know that they’ve sent you the message. So even if you know and trust the sender, do not open Microsoft Office and other executable attachments. Simply put – it’s not worth it. Make a phone call or send a separate message to that friend and ask them what’s that all about. Perhaps they can send you a PDF (much safer) or share a file via the cloud. If they know they’ve sent you something in the first place.

As we are usually saying, the best defense is using your brain – so think before clicking on anything online. This is the only way to stay safe these days. And use a VPN, of course. 😉