{
	"id": "7ad426dd-101b-47b8-851e-2710944b1cc1",
	"created_at": "2026-04-06T02:13:13.271114Z",
	"updated_at": "2026-04-10T03:21:25.467247Z",
	"deleted_at": null,
	"sha1_hash": "0a89f53a1e360cc4234e09d1049dee9f7cea244e",
	"title": "TrickBot and Zeus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67593,
	"plain_text": "TrickBot and Zeus\r\nPublished: 2021-07-01 · Archived: 2026-04-06 01:30:43 UTC\r\nOverview\r\nTrickBot is an established and widespread multi-purpose trojan. Active since 2016 and modular in nature, it can accomplish\r\na variety of goals ranging from credential theft to lateral movement. Many of the malware’s capabilities come as self-contained modules, which the malware is instructed to download from the C2. Initially, TrickBot’s main focus was bank\r\nfraud, but this later shifted toward corporate targetted ransomware attacks, eventually resulting in the discontinuation of\r\ntheir fraud operation.\r\nIn June 2021, Kryptos Logic Threat Intelligence team began observing new developments to the TrickBot webinject module.\r\nTrickBot’s webinject module supports both static and dynamic configuration for injects. The static inject type causes the\r\nvictim to be redirected to an attacker-controlled replica of the intended destination site, where credentials can then be\r\nharvested. The dynamic inject type transparently forwards the server response to the TrickBot C2, where the source is then\r\nmodified to contain malicious components, before being returned to the victim as though it came from the legitimate site. In\r\nthe current iteration of the webinject module, injects are achieved by proxying traffic through a local SOCKS server, if the\r\ntraffic matches a list of target URLs the traffic is modified accordingly.\r\nThrough our monitoring, we were able to obtain a debug version of the module, which contained new features being tested.\r\nIn this evolution of their webinject capabilities, TrickBot has added support for Zeus-style webinject configs. During\r\ndevelopment the module was served under a test name and supported parsing configs named zeus . We have since\r\nobserved the updated module being pushed out to real victims under the name injectDll , superseding their old webinject\r\nmodule. Previously, webinject configs were stored in two files named sinj (static injects) and dinj (dynamic injects).\r\nNow, there exists a single config file named winj containing Zeus-style webinjects.\r\nInjectDLL\r\nWe began observing new changes to their webinject module when we came across a debug build uploaded to 1VirusTotal.\r\nThis module was different from the previous known webinjects, since it makes reference to a config by the name of winj .\r\nHowever, we were not able to pull down such a debug build from the C2 servers, since we were not aware of the base name\r\nthat was given to the module. Base names are the names given to modules by TrickBot, and are used by the main bot to fetch\r\nthese modules from TrickBot’s plugin servers.\r\nCurrently we are seeing the bot pull down the released versions of webinject module as injectDll32 and injectDll64\r\nfor the 32-bit and 64-bit module respectively.\r\nAn example for a module request made by the main bot is as follows:\r\nhttps://\u003cc2_address\u003e/\u003cgtag\u003e/\u003cunique_bot_id\u003e/5/injectDll64/\r\nIn this blog we will not go into detail on how the main bot communicates to its C2, since it has already been covered2.\r\nwinj Config\r\nIn this module we see the introduction of Zeus webinject configs, in addition to the regular webinject configs that TrickBot\r\npreviously used. A good description on how the webinject config works can be found in its leaked manual3.\r\nhttps://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/\r\nPage 1 of 4\n\nDue to Zeus having been the gold standard for banking malware, Zeus-style webinjects are extremely popular. It is not\r\nuncommon for other malware families to support Zeus-style webinject syntax for cross-compatibility (4Zloader,\r\n5Citadel, to\r\nname a few).\r\nIn the debug version, the module referred to this new config simply as zeus ; however in the release version this has been\r\nrenamed to winj . As with the previous webinjects, the module is able to parse the usual webinject configs dinj and\r\nsinj . Additionally, they continue to use the dpost configs in order to send the results of the webjects to the handler C2s.\r\nExample winj :\r\nset_url \u003ctarget-website-url\u003e GP\r\ndata_before\r\ndata_end\r\ndata_after\r\n\u003c/head\u003e\r\ndata_end\r\ndata_inject\r\n\u003cscript\u003e\u003c/script\u003e\r\ndata_end\r\nMitM\r\nAs previously reported6, the module shares substantial code with IcedID/Bokbot’s Man-in-the-Browser webinject module.\r\nTo MitM TLS connections, it creates a self-signed TLS certificate and adds it to the certificate store. The module contains a\r\npacked payload that is injected into the victim’s browser, where it hooks socket APIs to redirect traffic to a locally listening\r\nSOCKS proxy, it also hooks CertVerifyCertificateChainPolicy and CertGetCertificateChain to ensure no certificate\r\nerrors are shown to the victim.\r\nConclusion\r\nThe resumption of development of the webinject module indicates that TrickBot intends to revive its bank fraud operation,\r\nwhich appears to have been shelved for over a year. The addition of Zeus-style webinjects may suggest expansion of their\r\nMalware-as-a-Service platform, enabling users to bring their own webinjects.\r\nIOCs\r\nSHA256\r\nModule Base\r\nName\r\nDescription\r\ndd268740958fe3829c927054b900f6287235662cd93c1e91d51c38c44eb2571b n/a\r\n32-bit Webinject\r\nDebug Module\r\n3bd5117466a9bcd539a482343957f8c9a74ad2fa0d5da959fcfa0d42beb9133d n/a\r\n64-bit Webinject\r\nDebug Module\r\nc79f016996b45cd7cc88aa3ce6c4d1ab247a1d803de4b742f64f3bf1e183ffb0 injectDll32\r\n32-bit Webinject\r\nModule\r\nhttps://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/\r\nPage 2 of 4\n\nSHA256\r\nModule Base\r\nName\r\nDescription\r\n19f4f1ca50b3306c9d953e12e573b1e65670b110b358d0240e55331c7ed0d76f injectDll64\r\n64-bit Webinject\r\nModule\r\nYARA\r\nrule TrickBot__Webinject\r\n{\r\n meta:\r\n id = \"7eKHCSumVp7QRXF0z7BC1i\"\r\n fingerprint = \"8a66f290d84a54e8ee148c461513627e83b8f092acebe8251c6098a88d8c4eba\"\r\n version = \"1.0\"\r\n first_imported = \"2021-07-01\"\r\n last_modified = \"2021-07-01\"\r\n status = \"RELEASED\"\r\n sharing = \"TLP:WHITE\"\r\n source = \"KRYPTOS LOGIC\"\r\n author = \"KRYPTOS LOGIC\"\r\n description = \"Detects TrickBot updated Webinject module\"\r\n category = \"MALWARE\"\r\n malware = \"BOT\"\r\n hash = \"c79f016996b45cd7cc88aa3ce6c4d1ab247a1d803de4b742f64f3bf1e183ffb0\"\r\n strings:\r\n $a = \"c:\\\\developer\\\\webinject\\\\http-lib\\\\parser.c\" wide\r\n $zeus1 = \"data_before\"\r\n $zeus2 = \"data_after\"\r\n $zeus3 = \"data_inject\"\r\n $zeus4 = \"data_end\"\r\n $name = /wbi-x(86|64).dll/\r\n condition:\r\n all of them\r\n}\r\nReferences\r\n1. https://www.virustotal.com/gui/file/dd268740958fe3829c927054b900f6287235662cd93c1e91d51c38c44eb2571b/detection \r\n2. https://gist.github.com/hasherezade/88837ea728d3950c7c38160d016ea6cf ↩︎\r\n3. https://github.com/Visgean/Zeus/blob/translation/manual_en.html ↩︎\r\n4. https://www.malwarebytes.com/resources/files/2020/06/the-silent-night-zloader-zbot_final.pdf#page=15 ↩︎\r\n5. https://www.virusbulletin.com/virusbulletin/2014/09/prosecting-citadel-botnet-revealing-dominance-zeus-descendent-part-one ↩︎\r\nhttps://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/\r\nPage 3 of 4\n\n6. https://www.bleepingcomputer.com/news/security/TrickBot-trojan-gets-icedid-proxy-module-to-steal-banking-info/ ↩︎\r\nSource: https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/\r\nhttps://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/"
	],
	"report_names": [
		"trickbot-and-zeus"
	],
	"threat_actors": [],
	"ts_created_at": 1775441593,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a89f53a1e360cc4234e09d1049dee9f7cea244e.pdf",
		"text": "https://archive.orkl.eu/0a89f53a1e360cc4234e09d1049dee9f7cea244e.txt",
		"img": "https://archive.orkl.eu/0a89f53a1e360cc4234e09d1049dee9f7cea244e.jpg"
	}
}