As part of my work at VinCSS, I wrote a detailed analysis about TrickBot.
First discovered in 2016, until now TrickBot (aka TrickLoader or Trickster) has become one of the most popular and dangerous malware in today’s threat landscape. The gangs behind TrickBot are constantly evolving to add new features and tricks. Trickbot is multi-modular malware, with a main payload will be responsible for loading other plugins capable of performing specific tasks such as steal credentials and sensitive information, provide remote access, spread it over the local network, and download other malwares.
Trickbot roots are being traced to elite Russian-speaking cybercriminals. According to these reports (1, 2), up to now, at least two people believed to be members of this group have been arrested. Even so, other gang members are currently continuing to operate as normal.
We decided to provide a detail analysis of how Trickbot infects after launching by a malicious Word document, the techniques the malware uses to make it difficult to analyze. Unlike Emotet or Qakbot, Trickbot hides C2 addresses by using fake C2 addresses mixed together with real C2 addresses in the configuration, we will cover how to extract the final C2 list at the end of article. In addition, we present the method to recover the APIs as well as decode the strings of Trickbot based on IDA AppCall feature to make the analysis process easier.
