Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Flexible MDR packages that enhance your cyber resilience and security operations.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
THE THREAT eSentire has observed multiple instances of threat actors exploiting vulnerabilities in Qlik Sense to gain initial access into victim organizations. Qlik Sense is a popular data analytics… READ NOW
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Waterloo, ON and GITEX GLOBAL 2023, Dubai, UAE – October 18, 2023 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced that Inspira Enterprise Inc, (Inspira), a… READ NOW
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
Trickbot malware was first observed in the wild in 2016, being utilized as a banking trojan similar to Emotet and Dyre. It has since evolved to become one of the most prominent types of modular malware, meaning it is highly customizable in functionality and how it is deployed.
Since 2016, there has been significant reporting on the sophisticated and ongoing development behind Trickbot. This has been linked to what CrowdStrike researchers call the Wizard Spider cybercrime organization, believed to be based in Russia.1
While highly capable as a stealthy internal reconnaissance and data exfiltration tool for threat actors, the more concerning development is that Trickbot is increasingly being used as a backdoor to deploy ransomware. Multiple sources have reported a developing connection between Trickbot, Emotet and Ryuk ransomware.
Threat researchers have observed considerable dwell time between initial infection of Trickbot and the distribution of Ryuk. One of the prevailing theories is that the perpetrators behind Trickbot have developed an “access-as-a-service” business model and are selling backdoors to other threat actors looking to distribute ransomware.2
There are two especially insidious implications of this apparent malware partnership. First, ransomware attacks can now be delivered with incredible precision. Historically ransomware campaigns have involved casting a wide and indiscriminate net, with threat actors relying on the law of averages to take effect and result in profits. With Trickbot’s persistence and reconnaissance utility, a victim’s network can be vetted before the ransomware is deployed, allowing threat actors to target specific aspects of the network or sensitive data that can be especially profitable.
The second implication is that it allows threat actors to effectively monetize their attacks twice. Sensitive data can be identified and exfiltrated using Trickbot and subsequently be sold on the black market. Once this is accomplished, the threat actor can either sell their access to victim networks to other cybercriminals or exploit the victims further by deploying ransomware.
This “unholy alliance,” as one reporter described it, further underscores the need for advanced threat detection and more importantly, rapid response as a means to mitigate the risk posed by modular malware like Trickbot.3
Like most attacks, initial infection typically occurs from a malspam email containing a malicious productivity attachment, such as a Word or Excel file cleverly disguised as legitimate communications from reputable businesses or known contact. The victim unknowingly enables malicious macro commands to run PowerShell and ultimately downloads the malware from the threat actor’s command and control (C2) server.
Trickbot infection is possible through other means. It has been observed being deployed by other types of malware such as Emotet and Ursnif, which often follows a similar initial infection methodology. Following initial infection, Trickbot can propagate throughout the network by stealing credentials, utilizing exploits such as EternalBlue or by modules that automatically send malspam emails to harvested email addresses from the compromised host’s account.
Another particularly advanced feature of Trickbot: the malware takes specific and automatic action against endpoint security measures. Following download, Trickbot looks to tamper with the policies of Windows Defender (Microsoft’s native endpoint security platform) via PowerShell commands, disabling functions like behavior monitoring, scanning, automatic remediation and more.
The malware then redeploys itself in the infected machine’s memory where it begins to establish persistence through scheduling tasks and downloading modules from the C2 server. Modules are delivered as Dynamic Link Libraries (DLL) via the svchost.exe process name, file types that allow for instructions to be disseminated to multiple programs. What happens from here depends on the goals of the attacker. See the table to the right for examples of various Trickbot modules and their functions.
Banking trojan, reconnaissance, exfiltration, dropper for other malware.
Phishing, man-in-the-browser, known vulnerabilities such as EternalBlue and other malware droppers such as Emotet.
Infections are not noticeable to the end user. Trickbot is modular and customizable, giving the threat actor many options to evade detection. Some modules can disable endpoint security tools.
A threat actor can deploy many different modules through scheduled tasks that are designed for stealth and persistence in a network (expiration times for tasks, new IP addresses, sandbox checking, etc.). Infected hosts are recommended to be completely reimaged as a result.
LoaderDII/InjectDII: Monitors for website activity and uses web injects (e.g. pop ups and extra fields) to steal information.
Sinj: This file contains information on Trickbot targets and it uses redirection attacks (also known as web fake injections).
Dinj: This file contains information on TrickBot targets and it uses server side web injections.
Mailsearcher: A module to search for and collect mail files on disk to send back to the C2 server.
Systeminfo: Harvests system information so that the attacker knows what is running on the affected system.
NetworkDll: Leveraged to map out the victim’s network.
loader.dll: A module to ensure other modules are successfully loaded.
ModuleDll/ImportDll: Harvests browser data (e.g. cookies and browser configurations).
DomainDll: Uses LDAP to harvest credentials and configuration data from domain controller by accessing shared SYSVOL files.
OutlookDll: Harvests saved Microsoft Outlook credentials by querying several registry keys.
SqulDll: Force-enables WDigest authentication and utilizes Mimikatz to scrape credentials from LSASS.exe. The worming modules use these credentials to spread TrickBot laterally across networks.
Pwgrab: Steals credentials, auto-fill data, history and other information from browsers as well as several software applications.
WormDll and ShareDll: These are worming modules that abuse Server Message Block (SMB) and Lightweight Directory Access Protocol (LDAP) to move laterally across networks.
TabDll: Uses the EternalRomance exploit (CVE-2017-0147) to spread via SMBv1.
spreader_x64: A module that spreads TrickBot by exploiting EternalBlue and uses mimikatz to perform credential threat.
TrickBooster: Harvests email addresses from an infected host, sends out malspam emails and deletes sent messages to remain hidden.
There are steps that organizations can take to prevent Trickbot infections. Regular security awareness training and promoting a culture of caution when it comes to email communications can help mitigate some human-error related risk.
Maintaining a consistent vulnerability and patch management program to ensure that none of your IT assets have critical known vulnerabilities that can be easily exploited by malware like Trickbot is another fundamental preventative step.
Confirming your antivirus and/or endpoint protection products are properly tuned and updated is important. Particularly in the case of Microsoft Windows Defender, confirming that tamper protection features are enabled can mitigate Trickbot’s ability to disable and bypass endpoint security measures.5
It is worth repeating that the sophisticated resources behind the development of malware like Trickbot are specifically designed to bypass common preventative measures, meaning today’s threat prevention strategies could be ineffective tomorrow. Furthermore, no amount of awareness training and security culture can change the fact that human error is inevitable. Prevention is ultimately an impossible task unless it is tied to a robust threat detection and response capability.
The programs are designed to identify blind spots and harden your posture against known threats. Services within include Phishing and Security Awareness Training, Technical Testing and Virtual CISO services.
Dedicated eSentire experts act as an extension of your team to execute timely scanning and tracking of known vulnerabilities among your IT assets.
In January 2020, an eSentire manufacturing customer was initially alerted to suspicious network activity, which prompted further investigation by analysts from eSentire’s Security Operations Center (SOC). Nine minutes later, a host was observed sending unusual outbound communications, at which point SOC analysts took action and placed TCP disruptions on both the internal host and the IP it was communicating with in order to halt the activity via eSentire MDR for Network. The host itself was isolated from the rest of the network as well via eSentire MDR for Endpoint. The SOC updated the customer with the latest development in the incident.
At this point, the threat appeared to be limited to a single compromised workstation with no observed indicators of compromise on the rest of the customer network. Furthermore, there was no risk of lateral movement with the host quarantined, which was fortunate because deeper forensic endpoint investigation revealed that the host was attempting to spread via the known EternalBlue exploit less than 20 minutes following the SOC’s actions to isolate the threat.
Trickbot was identified as the malware responsible for the activity with the initial infection traced back to human error from an employee who clicked on a link from a malspam email. Further investigation did reveal that a limited amount of the employee’s personal information (saved passwords and shipping address from a web browser auto-fill function) was exfiltrated before eSentire blocked the connection. We recommended to the customer that the end user change their passwords and their workstation be completely reimaged to ensure no traces of malware remained.
Swift investigation and response within less than 10 minutes of the initial threat detection was critical in containing this particular Trickbot incident. If reaction to the threat was slower by just 17 minutes, (a relative blink of an eye in the context of the typical workday in the average IT organization) there is a good chance this Trickbot infection would have been able to spread throughout the network. This underscores the speed security teams must operate at to stop advanced threats. Success is measured in seconds and minutes, but unfortunately, most organizations are lagging far behind with the mean time to contain a data breach at 73 days.6 Multi-signal Managed Detection and Response closes this gap for 1500+ customers with a 15 mean time to contain threats.
Security Primer TrickBot, Center for Internet Security: https://www.cisecurity.org/white-papers/security-primer-trickbot/
Stealthy TrickBot Malware Has Compromised 250 Million Email Accounts And Is Still Going Strong,Forbes: https://www.forbes.com/sites/leemathews/2019/07/14/stealthy-trickbotmalware- has-compromised-250-million-email-accounts-and-is-still-going-strong/#1976b2c74884
TrickBot, MITRE ATT&CK Framework: https://attack.mitre.org/software/S0266/
The Unholy Alliance of Emotet, TrickBot and the Ryuk Ransomware,Decipher: https://duo.com/decipher/the-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware
We’re here to help! Submit your information and an eSentire representative will be in touch to help you build a more resilient security operation today.