TrickBot Deep Blue Digital
Free picture (Deep blue Futuristic digital background) from

A next-generation malware called TrickBot has been rampant since 2016 causing critical troubles against organizations around the nation. Security specialist considers TrickBot as highly dangerous malware that targets top profile companies and the government to steal confidential information.

Recently TrickBot is considered evolving due to introducing its new module feature base attack strategy system. The terror of TrickBot kept increasing over the years causing nationwide alerts.

In this article, we will study the details of TrickBot, newly added behaviors, and proper measures to prevent infection.

TrickBot Definition

TrickBot is a Trojan type of banking malware designed to steal users' financial information by infecting computers. Many of its features were inspired by another banking Trojan called Dyreza. TrickBot was one of the first malware that is able to steal data from Bitcoin wallets.

TrickBot was initially identified in 2016 attacking financial institutions such as banks, business finance divisions, and credit card associates. Specialized in stealing email lists and passwords from the host computer to further spread itself through Trojan composed spam emails.

In 2019 a new TrickBot module called Cookie Grabber was discovered stealing cookie storage database information from major web browsers including Chrome, Firefox, and Microsoft Edge.

How does TrickBot Work?

One of the unique characteristics of TrickBot is its module-based attack strategy. Once the base part of TrickBot infects a computer, it will then download necessary modules to conduct variety of attacks.

This downloaded module allows TrickBot to quickly adapt to the environment and conduct many difficult attacks to prevent. A report shows that TrickBot can extract remote access login credentials and provide to the criminal group for manual access. Another incident describes the behavior of hacking an email application to send out malware-infected emails to all the contact list addresses for conducting an indirect massive attacks.

TrickBot can rapidly spread out to the entire network using many methods, yet can also hide its activity from users. Preventing the infection becomes extremely crucial for handling this type of malware.

What Harm Can TrickBot Cause?

A computer infected by TrickBot typically does not show any user noticeable symptoms. To reveal TrickBot activities a network administrator may be able to see the access attempts trying to download modules from a remote server.

If TrickBot is able to successfully download modules to the infected computer, TrickBot will strategically attack the environment based on the circumstances. There are a variety of harmful modules discovered by security experts.

The following list describes some behaviors of TrickBot using the modules.

  • Steal login credentials from the infected host computer
  • Steal remote desktop application authorization credentials
  • Hack online account password, cookies, view histories
  • Collect bank account login information and confident data related to finance
  • Attack POS (Point of Sales) information management system
  • Invalidate Windows Defender to decrease computer security

TrickBot is also capable to spread across the network to infect other computers, as well as re-infect quarantined computers once the device connects to the network. To remove TrickBot infection, each and all network-accessible computers needs to be isolated while scanned and cleaned one-by-one.

TrickBooster, the Revolution Feature of TrickBot

A new TrickBot module feature called TrickBooster was recently discovered. TrickBooster is designed to send out malicious emails from the infected computer while removing any trace of the email making its activity harder to be detected.

The TrickBooster component itself is able to bypass detection by obtaining a fake certificate. Although the first TrickBooster activity was discovered by security experts in June 2019, the discovered certificate was revoked within a week. This shows how difficult to track down TrickBooster.

Example of TrickBot Attacks

Lloyds Bank: Over 75,000 fake emails were sent out within 25 minutes from Lloyds Bank computer infected by TrickBot. Emails included a fake HTML page of Lloyds Bank with the title "Incoming BACs" which is an email-based payment system. Victims were asked by Social Engineered message to fill and submit the document from their fake login page, triggering credential breach.

How to Prevent TrickBot Infection

Be aware of email phishing and social engineering

TrickBot infects computers by composing itself into a scam email. Learn the fundamentals of social engineering to acknowledge messages of malicious emails and avoid getting tricked by phishing attacks.

Apply Minimum Network Access Level

Limiting computer users' network access levels will reduce the risk of further infecting other computers. Setting up a firewall that blocks unauthorized network access can also defend TrickBot from equipping modules over the network.

Install Antimalware Software

Antimalware software can provide comprehensive protection to detect abnormal behaviors. Some features will analyze malicious emails and weblinks to avoid users accessing without caution. The trojan files can also be scanned by antimalware before executing to prevent infection.

What to Do if Infected by TrickBot

Isolate infected computer from the network

Once TrickBot infects a computer, it attempts to downloading modules over the network to strategically attack the environment. To prevent further module downloads and attacks to other devices over the network, it is important to disconnect the infected machine from both the internet and the LAN network.

Remove with Antivirus Software

If you think your computer got infected with TrickBot, try to exterminate by running antivirus software. Make sure the antivirus software is up to date so that any latest module will be discovered.

As for organizations, antivirus software should be installed not only to the computers that are connected to the internet but also to all the devices connected to the LAN network. This is because of the TrickBot behavior of infecting other computers that are connected over the internal network.

OS Recovery

If all the important data are securely backed up to external non-infected storage, wiping out the hard drive and performing OS recovery is an option. Because re-installing the OS will completely clean the computer system, it is a highly effective way to remove any type of malware.

After cleaning the computer, be careful of getting re-infected through other infected computers over the network. Install an antivirus software before connecting to the network, and check that all other computers on the network are also clean.


  • TrendMicro
  • Malwarebytes