Spyware.TrickBot

Spyware.TrickBot is Malwarebytes’ detection name for the spyware components of Trojan.TrickBot.

Spyware.TrickBot focuses on stealing banking information. TrickBot typically spreads via malicious spam campaigns. It can also spread laterally using the EternalBlue exploit (MS17-010).

Example malspam distributing Trickbot

Other methods of propagation include infected attachments and embedded URLs. TrickBot is also seen as a secondary infection dropped by Trojan.Emotet.

Malicious document with macro

The end-point user will not notice any symptoms of a TrickBot infection. However, a network administrator will likely see changes in traffic or attempts to reach out to blacklisted IPs and domains, as the malware will communicate with TrickBot’s command-and-control (C&C) infrastructure to exfiltrate data and receive tasks.

Due to the way TrickBot uses the EternalBlue vulnerability to spread through a company’s network, any infected machine on the network will re-infect machines that have been previously cleaned when they rejoin the network. Therefore, IT teams need to isolate, patch, and remediate each infected system one-by-one. This can be a long and painstaking process.

Malwarebytes protects business and home users from Spyware.Trickbot with our signature-less anti-exploit technology.

Malwarebytes can detect and remove Trojan.TrickBot on business endpoints without further user interaction. But to be effective on networked machines, you must first follow these steps:

Identifying the infected machines

If you have unprotected endpoints/machines, you can run Farbar Recovery Scan Tool (FRST) to look for possible Indicators of Compromise (IOC). Besides verifying an infection, FRST can also be used to verify removal before bringing an endpoint/machine back into the network.

Disabling Administrative Shares

Windows server shares by default install hidden share folders specifically for administrative access to other machines. The Admin$ shares are used by Trickbot once it has brute forced the local administrator password. A file share sever has an IPC$ share that Trickbot queries to get a list of all endpoints that connect to it. These AdminIP shares are normally protected via UAC, however, Windows will allow the local administrator through with no prompt.

The most recent Trickbot variants use C$ with the Admin credentials to move around and re-infect all the other endpoints.

Repeated re-infections are an indication the worm was able to guess or brute force the administrator password successfully. Please change all local and domain administrator passwords.

It is recommended to disable these Admin$ shares via the registry, as discussed here. If you do not see this registry key, it can be added manually and set up to be disabled.

To remove the Trickbot Trojan using Malwarebytes business products, follow the instructions below.

Malwarebytes can detect and remove Trojan.Trickbot without further user interaction.