{
	"id": "b898a676-da94-4406-bf8e-72d51c8b0a3b",
	"created_at": "2026-04-18T02:22:10.122416Z",
	"updated_at": "2026-04-18T02:22:37.367497Z",
	"deleted_at": null,
	"sha1_hash": "4011633e277bbf030de9e585af0e5f4e6af920d3",
	"title": "A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 104652,
	"plain_text": "A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies\r\nBy ramanl\r\nPublished: 2022-02-16 · Archived: 2026-04-18 02:18:07 UTC\r\nResearch by: Aliaksandr Trafimchuk, Raman Ladutska\r\nThis research comes as a follow-up to our previous article on Trickbot,  “When Old Friends Meet Again: Why Emotet\r\nChose Trickbot For Rebirth” where we provided an overview of the Trickbot infrastructure after its takedown. Check\r\nPoint Research (CPR) now sheds some light on the technical details of key Trickbot modules.\r\nTrickbot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on\r\ndemand. Such modules allow the execution of all kinds of malicious activities and pose great danger to the customers\r\nof 60 high-profile financial (including cryptocurrency) and technology companies, mainly located in the United States.\r\nFor a full list of the targeted companies, see the Appendix. These brands are not the victims but their customers might\r\nbe the targets.\r\nFigure 1 – Several companies whose customers are targeted by Trickbot\r\nWe previously discussed the de-centralized and effective Trickbot infrastructure, and now we see that the malware is\r\nvery selective in how it chooses its targets. Various tricks – including anti-analysis – implemented inside the modules\r\nshow the authors’ highly technical background and explain why Trickbot remains a very prevalent malware family.\r\nBelow is a heat-map with the percentage of organizations that were affected by Trickbot in each country in 2021:\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 1 of 13\n\nFigure 2 – Percentage of impacted organizations by Trickbot (the darker the color – the higher the impact)\r\nBelow is a table that shows the percentage of organizations affected by Trickbot in each region:\r\nRegion Organizations affected Percentage\r\nWorld 1 of every 45 2.2%\r\nAPAC 1 of every 30 3.3%\r\nLatin America 1 of every 47 2.1%\r\nEurope 1 of every 54 1.9%\r\nAfrica 1 of every 57 1.8%\r\nNorth America 1 of every 69 1.4%\r\nThere is a lot of attention currently going to the possible detention of TrickBot gang members. This investigation may\r\nhave long-term consequences for malware operators. We have decided to approach this issue differently: from the\r\nhistory of rise and fall of different malware operations, we know that although malware may become inactive, its\r\ntechnical aspects are often re-used in other successors.\r\nWe explore the technical details of key TrickBot modules and explain how they operate. No matter what awaits\r\nTrickBot botnet, the thorough efforts put into the development of sophisticated TrickBot code will likely not be lost\r\nand the code would find its usage in the future.\r\nIn this article, we focus on the three key modules below and describe Trickbot’s anti-analysis techniques:\r\ninjectDll\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 2 of 13\n\ntabDll\r\npwgrabc\r\ninjectDll: web-injects module\r\nWeb-injects cause a lot of harm to victims because such modules steal banking and credential data and could cause\r\ngreat financial damage via wire transfers. Add Trickbot’s cherry-picking of victims, and the menace becomes even\r\nmore dangerous.\r\nThe injectDll module performs browser data injection, including JavaScript which targets customers of 60 high-profile\r\ncompanies in the financial (including cryptocurrency) and technology spheres.\r\nNot only does this module target high-profile organizations, it also features several anti-analysis techniques which we\r\ndescribe below.Before the takedown in October 2020, the injectDll module had a configuration built from two config\r\ntypes “sinj” and “dinj” (located at the end of the module):\r\nFigure 3 – Configuration of the injectDLL module in 2020\r\nNow web-injects come with the “winj” config from C2:\r\nFigure 4 – Configuration of the injectDLL module in 2021\r\nAnd they may look like this:\r\nFigure 5 – Web-inject from the injectDLL module\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 3 of 13\n\nWe can recognize a well-known web-injects format from Zeus (https://www.malware.unam.mx/en/content/zeus-analysis-configuration-file-attacked-banking-internet). The payload which is injected to the page is minified (making\r\nthe code size smaller makes the code unreadable), obfuscated, and contains anti-deobfuscation techniques. These\r\ntechniques are based on JavaScript function string representation and its comparison with a hardcoded Regular\r\nExpression which should match the obfuscated function code. If the representation of the function doesn’t match the\r\nbrowser, the tab process crashes (we describe the technique later in this article).\r\nIf all the checks passed successfully, the script constructs the URL of the second stage web-inject, in this case:\r\nhttps://myca.adprimblox.fun/E4BFFED4E95C646B0EB2072FB593CA3D/dmaomzs1e5cl/6vpixf7ug8h5sli7gqwj/jquery-3.5.1.min.js\r\nhttps://myca.adprimblox.fun/E4BFFED4E95C646B0EB2072FB593CA3D/dmaomzs1e5cl/6vpixf7ug8h5sli7gqwj/jquery-3.5.1.min.js\r\nThis URL is built from %BOTID%, and two decoded constants. The C2 server strictly checks that the URL must end\r\nwith “6vpixf7ug8h5sli7gqwj/jquery-3.5.1.min.js”. If the client tries to access any non-existent endpoint, the C2 server\r\nblocks network packets of the researcher’s external IP for a period of time.\r\nThe name of the script disguises itself as a well-known legitimate JavaScript jQuery library. The “second” stage web-inject is heavier than the first stage and is only loaded from the targeted page (for example, Amazon or some banking’s\r\npage) so as not to reveal the C2 servers. Its payload is also minified and obfuscated, contains a few layers of anti-deobfuscation techniques, and contains the code which grabs the victim’s keystrokes and web form submit actions.\r\nThe “second” stage of the web-inject, which targets a legitimate “https://sellercentral.amazon.com/ap/signin” site,\r\ncollects information from the login action and saves the “ap_email” and “ap_password” fields for a C2 payload. The\r\npayload is sent to another C2 server, which is decrypted (as other strings in the script) using RC4:\r\nhttps://akama.pocanomics.com/ws/v2/batch\r\nhttps://akama.pocanomics.com/ws/v2/batch\r\nFigure 6 – Example of the prepared payloads\r\nThe assembled HTTP request’s payload looks like this:\r\nm=login\u0026login=test@test.com\u0026pass=pass\u0026b=E4BFFED4E95C646B0EB2072FB593CA3C\u0026q=sipdialm\u0026v=8may\u0026w=1\r\nm=login\u0026login=test@test.com\u0026pass=pass\u0026b=E4BFFED4E95C646B0EB2072FB593CA3C\u0026q=sipdialm\u0026v=8may\u0026w=1\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 4 of 13\n\nWhere the “login” and “pass” fields hold captured credentials, the “b” field holds %BOT_ID%, and the “v” (and\r\nprobably “w”) field is the version. (Note – we are not sure about the purpose of these fields.)\r\nThis payload is then encrypted using XOR with an “ahejHKuD5H83UpkQgJK” key. The pseudocode of the payload\r\nencryption algorithm is shown below:\r\nlet to_send = b64encode(xor_with(unescape(encodeURIComponent(payload)), ‘ahejHKuD5H83UpkQgJK’));\r\nlet to_send = b64encode(xor_with(unescape(encodeURIComponent(payload)), ‘ahejHKuD5H83UpkQgJK’));\r\nAnti-Deobfuscation technique\r\nUsually a researcher tries to analyze minified and obfuscated JavaScript code using tools like JavaScript Beautifiers,\r\ndeobfuscators like de4js, and so on.\r\nAfter we applied these tools, we noticed that although the code became more readable, it also stopped working.\r\nIn the screenshot below, we’ve marked two places in red. The first one is a function which is very simple and performs\r\n“return ‘newState’. The second red mark expects the function to be obfuscated.\r\nFigure 7 – Anti-deobfuscation tricks in the code\r\nHere is the deobfuscated function representation (this means after calling the .toString() function):\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 5 of 13\n\nFigure 8 – Deobfuscated function\r\nAnd here is how it must look to pass the anti-deobfuscation trick:\r\nFigure 9 – Obfuscated function\r\nAnti-Analysis Technique\r\nAnother anti-analysis technique we encountered is one that prevents a researcher from sending automated requests to\r\nCommand-and-Control servers to get fresh web-injects. If there is no “Referer” header in the request, the server will\r\nnot answer with a valid web-inject. Here is an example of a valid request:\r\nFigure 10 – Example of a successful request to a Command-and-Control server from the injectDLL module\r\nThe response looks like the one shown below:\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 6 of 13\n\nFigure 11 – Response received from a Command-and-Control server of the injectDLL module\r\ntabDLL module\r\nThe purpose of this DLL is to grab the user’s credentials and spread the malware via network share. It grabs credentials\r\nin 5 steps:\r\n1. Enables storing user credential information in the LSASS application.\r\n2. Injects the “Locker” module into the “explorer.exe” application.\r\n3. From the infected “explorer.exe”, forces the user to enter login credentials to the application and then locks the\r\nuser’s session.\r\n4. The credentials are now stored in the LSASS application memory.\r\n5. Grabs the credentials from the LSASS application memory using the mimikatz technique.\r\nThe credentials are then reported to C2. Lastly, it uses the EternalRomance exploit to spread via the SMBv1 network\r\nshare.\r\nThese steps are summarized in the diagram below:\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 7 of 13\n\nFigure 12 – Steps to grab a user’s credentials as executed by the “tabDll” module\r\nThe obfuscation level decreased when a botnet operator used a random key for string encryption algorithm. We\r\nencountered such a case with a low obfuscation level when the string “GetCurrentProcess” became easily readable:\r\nFigure 13 – Low level of obfuscation\r\nAnother example below:\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 8 of 13\n\nFigure 14 – No key is used for the obfuscation\r\nIn this case, no key is used for decryption. However, these cases remain rare throughout the modules and samples.\r\npwgrabc module\r\nThe pwgrabc is a credential stealer for various applications. This is the full list of targeted applications:\r\nChrome\r\nChromeBeta\r\nEdge\r\nEdgeBeta\r\nFirefox\r\nInternet Explorer\r\nOutlook\r\nFilezilla\r\nWinSCP\r\nVNC\r\nRDP\r\nPutty,\r\nTeamViewer\r\nPrecious\r\nGit\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 9 of 13\n\nOpenVPN\r\nOpenSSH\r\nKeePass\r\nAnyConnect\r\nRDCMan\r\nConclusion\r\nBased on our technical analysis, we can see that Trickbot authors have the skills to approach the malware development\r\nfrom a very low level and pay attention to small details. Trickbot attacks high-profile victims to steal the credentials\r\nand provide its operators access to the portals with sensitive data where they can cause greater damage.\r\nMeanwhile, from our previous research, we know that the operators behind the infrastructure are very experienced\r\nwith malware development on a high level as well.\r\nThe combination of these two factors has already led to more than 140,000 infected victims after the takedown, several\r\n1\r\nst\r\n place rankings in top malware prevalence lists, and collaboration with Emotet – all within a year.\r\nTrickbot remains a dangerous threat that we will continue to monitor, along with other malware families.\r\nCheck Point Protections\r\nCheck Point Provides Zero-Day Protection across Its Network, Cloud, Users and Access Security Solutions. Whether\r\nyou’re in the cloud, the data center, or both, Check Point’s Network Security solutions simplify your security without\r\nimpacting network performance, provide a unified approach for streamlined operations, and enable you to scale for\r\ncontinued business growth. Quantum provides the best zero-day protection while reducing security overhead. \r\nCheck Point Harmony Network Protections:\r\nTrojan-Banker.Win32.TrickBot\r\nThreat Emulation protections:\r\nBanker.Win32.Trickbot.TC\r\nTrickbot.TC\r\nBotnet.Win32.Emotet.TC.*\r\nEmotet.TC.*\r\nTS_Worm.Win32.Emotet.TC.*\r\nTrojan.Win32.Emotet.TC.*\r\nAppendix – The list of targeted companies (via web-injects)\r\nCompany Field\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 10 of 13\n\nAmazon E-commerce\r\nAmericanExpress Credit Card Service\r\nAmeriTrade Financial Services\r\nAOL Online service provider\r\nAssociated Banc-Corp Bank Holding\r\nBancorpSouth Bank\r\nBank of Montreal Investment Banking\r\nBarclays Bank Delaware Bank\r\nBlockchain.com Cryptocurrency Financial Services\r\nCanadian Imperial Bank of Commerce Financial Services\r\nCapital One Bank Holding\r\nCard Center Direct Digital Banking\r\nCentennial Bank Bank Holding\r\nChase Consumer Banking\r\nCiti Financial Services\r\nCitibank Digital Banking\r\nCitizens Financial Group Bank\r\nCoamerica Financial Services\r\nColumbia Bank Bank\r\nDesjardins Group Financial Services\r\nE-Trade Financial Services\r\nFidelity Financial Services\r\nFifth Third Bank\r\nFundsXpress IT Service Management\r\nGoogle Technology\r\nGoToMyCard Financial Services\r\nHawaiiUSA Federal Credit Union Credit Union\r\nHuntington Bancshares Bank Holding\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 11 of 13\n\nHuntington Bank Bank Holding\r\nInteractive Brokers Financial Services\r\nJPMorgan Chase Investment Banking\r\nKeyBank Bank\r\nLexisNexis Data mining\r\nM\u0026T Bank Bank\r\nMicrosoft Technology\r\nNavy Federal Credit Union\r\npaypal Financial Technology\r\nPNC Bank Bank\r\nRBC Bank Bank\r\nRobinhood Stock Trading\r\nRoyal Bank of Canada Financial Services\r\nSchwab Financial Services\r\nScotiabank Canada Bank\r\nSunTrust Bank Bank Holding\r\nSynchrony Financial Services\r\nSynovus Financial Services\r\nT. Rowe Price Investment Management\r\nTD Bank Bank\r\nTD Commercial Banking Financial Services\r\nTIAA Insurance\r\nTruist Financial Bank Holding\r\nU.S. Bancorp Bank Holding\r\nUnionBank Commercial Banking\r\nUSAA Financial Services\r\nVanguard Investment Management\r\nWells Fargo Financial Services\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 12 of 13\n\nYahoo Technology\r\nZoomInfo Software as a service\r\nIOCs\r\nmyca.adprimblox.fun\r\nakama.pocanomics.com\r\n524A79E37F6B02741A7B6A429EBC2E33306068BDC55A00222B6C162F396E2736\r\nSource: https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nhttps://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/"
	],
	"report_names": [
		"a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies"
	],
	"threat_actors": [],
	"ts_created_at": 1776478930,
	"ts_updated_at": 1776478957,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4011633e277bbf030de9e585af0e5f4e6af920d3.pdf",
		"text": "https://archive.orkl.eu/4011633e277bbf030de9e585af0e5f4e6af920d3.txt",
		"img": "https://archive.orkl.eu/4011633e277bbf030de9e585af0e5f4e6af920d3.jpg"
	}
}