Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
eSentire will be hosting a virtual webinar.
Join us for a live webinar with Keegan Keplinger, Research and Reporting…
eSentire will be hosting this event.
Trickbot malware was first observed in the wild in 2016, being utilized as a banking trojan similar to Emotet and Dyre. It has since evolved to become one of the most prominent types of modular malware, meaning it is highly customizable in functionality and how it is deployed.
Since 2016, there has been significant reporting on the sophisticated and ongoing development behind Trickbot. This has been linked to what CrowdStrike researchers call the Wizard Spider cybercrime organization, believed to be based in Russia.1
While highly capable as a stealthy internal reconnaissance and data exfiltration tool for threat actors, the more concerning development is that Trickbot is increasingly being used as a backdoor to deploy ransomware. Multiple sources have reported a developing connection between Trickbot, Emotet and Ryuk ransomware.
Threat researchers have observed considerable dwell time between initial infection of Trickbot and the distribution of Ryuk. One of the prevailing theories is that the perpetrators behind Trickbot have developed an “access-as-a-service” business model and are selling backdoors to other threat actors looking to distribute ransomware.2
There are two especially insidious implications of this apparent malware partnership. First, ransomware attacks can now be delivered with incredible precision. Historically ransomware campaigns have involved casting a wide and indiscriminate net, with threat actors relying on the law of averages to take effect and result in profits. With Trickbot’s persistence and reconnaissance utility, a victim’s network can be vetted before the ransomware is deployed, allowing threat actors to target specific aspects of the network or sensitive data that can be especially profitable.
The second implication is that it allows threat actors to effectively monetize their attacks twice. Sensitive data can be identified and exfiltrated using Trickbot and subsequently be sold on the black market. Once this is accomplished, the threat actor can either sell their access to victim networks to other cybercriminals or exploit the victims further by deploying ransomware.
This “unholy alliance,” as one reporter described it, further underscores the need for advanced threat detection and more importantly, rapid response as a means to mitigate the risk posed by modular malware like Trickbot.3
Like most attacks, initial infection typically occurs from a malspam email containing a malicious productivity attachment, such as a Word or Excel file cleverly disguised as legitimate communications from reputable businesses or known contact. The victim unknowingly enables malicious macro commands to run PowerShell and ultimately downloads the malware from the threat actor’s command and control (C2) server.
Trickbot infection is possible through other means. It has been observed being deployed by other types of malware such as Emotet and Ursnif, which often follows a similar initial infection methodology. Following initial infection, Trickbot can propagate throughout the network by stealing credentials, utilizing exploits such as EternalBlue or by modules that automatically send malspam emails to harvested email addresses from the compromised host’s account.
Another particularly advanced feature of Trickbot: the malware takes specific and automatic action against endpoint security measures. Following download, Trickbot looks to tamper with the policies of Windows Defender (Microsoft’s native endpoint security platform) via PowerShell commands, disabling functions like behavior monitoring, scanning, automatic remediation and more.
The malware then redeploys itself in the infected machine’s memory where it begins to establish persistence through scheduling tasks and downloading modules from the C2 server. Modules are delivered as Dynamic Link Libraries (DLL) via the svchost.exe process name, file types that allow for instructions to be disseminated to multiple programs. What happens from here depends on the goals of the attacker. See the table to the right for examples of various Trickbot modules and their functions.
Banking trojan, reconnaissance, exfiltration, dropper for other malware.
Phishing, man-in-the-browser, known vulnerabilities such as EternalBlue and other malware droppers such as Emotet.
Infections are not noticeable to the end user. Trickbot is modular and customizable, giving the threat actor many options to evade detection. Some modules can disable endpoint security tools.
A threat actor can deploy many different modules through scheduled tasks that are designed for stealth and persistence in a network (expiration times for tasks, new IP addresses, sandbox checking, etc.). Infected hosts are recommended to be completely reimaged as a result.
LoaderDII/InjectDII: Monitors for website activity and uses web injects (e.g. pop ups and extra fields) to steal information.
Sinj: This file contains information on Trickbot targets and it uses redirection attacks (also known as web fake injections).
Dinj: This file contains information on TrickBot targets and it uses server side web injections.
Mailsearcher: A module to search for and collect mail files on disk to send back to the C2 server.
Systeminfo: Harvests system information so that the attacker knows what is running on the affected system.
NetworkDll: Leveraged to map out the victim’s network.
loader.dll: A module to ensure other modules are successfully loaded.
ModuleDll/ImportDll: Harvests browser data (e.g. cookies and browser configurations).
DomainDll: Uses LDAP to harvest credentials and configuration data from domain controller by accessing shared SYSVOL files.
OutlookDll: Harvests saved Microsoft Outlook credentials by querying several registry keys.
SqulDll: Force-enables WDigest authentication and utilizes Mimikatz to scrape credentials from LSASS.exe. The worming modules use these credentials to spread TrickBot laterally across networks.
Pwgrab: Steals credentials, auto-fill data, history and other information from browsers as well as several software applications.
WormDll and ShareDll: These are worming modules that abuse Server Message Block (SMB) and Lightweight Directory Access Protocol (LDAP) to move laterally across networks.
TabDll: Uses the EternalRomance exploit (CVE-2017-0147) to spread via SMBv1.
spreader_x64: A module that spreads TrickBot by exploiting EternalBlue and uses mimikatz to perform credential threat.
TrickBooster: Harvests email addresses from an infected host, sends out malspam emails and deletes sent messages to remain hidden.
There are steps that organizations can take to prevent Trickbot infections. Regular security awareness training and promoting a culture of caution when it comes to email communications can help mitigate some human-error related risk.
Maintaining a consistent vulnerability and patch management program to ensure that none of your IT assets have critical known vulnerabilities that can be easily exploited by malware like Trickbot is another fundamental preventative step.
Confirming your antivirus and/or endpoint protection products are properly tuned and updated is important. Particularly in the case of Microsoft Windows Defender, confirming that tamper protection features are enabled can mitigate Trickbot’s ability to disable and bypass endpoint security measures.5
It is worth repeating that the sophisticated resources behind the development of malware like Trickbot are specifically designed to bypass common preventative measures, meaning today’s threat prevention strategies could be ineffective tomorrow. Furthermore, no amount of awareness training and security culture can change the fact that human error is inevitable. Prevention is ultimately an impossible task unless it is tied to a robust threat detection and response capability.
The programs are designed to identify blind spots and harden your posture against known threats. Services within include Phishing and Security Awareness Training, Technical Testing and Virtual CISO services.
Dedicated eSentire experts act as an extension of your team to execute timely scanning and tracking of known vulnerabilities among your IT assets.
In January 2020, an eSentire manufacturing customer was initially alerted to suspicious network activity, which prompted further investigation by analysts from eSentire’s Security Operations Center (SOC). Nine minutes later, a host was observed sending unusual outbound communications, at which point SOC analysts took action and placed TCP disruptions on both the internal host and the IP it was communicating with in order to halt the activity via eSentire MDR for Network. The host itself was isolated from the rest of the network as well via eSentire MDR for Endpoint. The SOC updated the customer with the latest development in the incident.
At this point, the threat appeared to be limited to a single compromised workstation with no observed indicators of compromise on the rest of the customer network. Furthermore, there was no risk of lateral movement with the host quarantined, which was fortunate because deeper forensic endpoint investigation revealed that the host was attempting to spread via the known EternalBlue exploit less than 20 minutes following the SOC’s actions to isolate the threat.
Trickbot was identified as the malware responsible for the activity with the initial infection traced back to human error from an employee who clicked on a link from a malspam email. Further investigation did reveal that a limited amount of the employee’s personal information (saved passwords and shipping address from a web browser auto-fill function) was exfiltrated before eSentire blocked the connection. We recommended to the customer that the end user change their passwords and their workstation be completely reimaged to ensure no traces of malware remained.
Swift investigation and response within less than 10 minutes of the initial threat detection was critical in containing this particular Trickbot incident. If reaction to the threat was slower by just 17 minutes, (a relative blink of an eye in the context of the typical workday in the average IT organization) there is a good chance this Trickbot infection would have been able to spread throughout the network. This underscores the speed security teams must operate at to stop advanced threats. Success is measured in seconds and minutes, but unfortunately, most organizations are lagging far behind with the mean time to contain a data breach at 73 days.6 Multi-signal Managed Detection and Response closes this gap for 1500+ customers with a 15 mean time to contain threats.
Security Primer TrickBot, Center for Internet Security: https://www.cisecurity.org/white-papers/security-primer-trickbot/
Stealthy TrickBot Malware Has Compromised 250 Million Email Accounts And Is Still Going Strong,Forbes: https://www.forbes.com/sites/leemathews/2019/07/14/stealthy-trickbotmalware- has-compromised-250-million-email-accounts-and-is-still-going-strong/#1976b2c74884
TrickBot, MITRE ATT&CK Framework: https://attack.mitre.org/software/S0266/
The Unholy Alliance of Emotet, TrickBot and the Ryuk Ransomware,Decipher: https://duo.com/decipher/the-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware