{ "id": "eb1d1b14-8797-49f6-9db7-54dfb1321420", "created_at": "2026-04-06T01:29:02.456319Z", "updated_at": "2026-04-10T03:36:11.152557Z", "deleted_at": null, "sha1_hash": "5eac69cc5960cecfd3e3c21e995a7aa873afa008", "title": "Detecting Trickbot with Splunk | Splunk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 899022, "plain_text": "Detecting Trickbot with Splunk | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2021-07-21 · Archived: 2026-04-06 00:48:57 UTC\r\nTrickbot Trojan is said to be related to Zeus and Dyre crimeware and has been active since the year 2016. Trickbot\r\nhas been used in multiple campaigns targeting financial services and other verticals; due to its versatile nature,\r\nrecently it has also been observed targeting single users via traffic infringement phishing. Trickbot is attributed to\r\nthe following actors, according to CISA:\r\nWizard Spider (CrowdStrike)\r\nUNC1878 (Fireyee)\r\nGold Blackburn (SecureWorks)\r\nThe web injects are post-exploitation code artifacts delivered and executed via trickbot. They are specifically\r\ndesigned for targeted sites (financial institutions, cryptocurrency exchanges, telco service providers). The samples\r\nanalyzed by the Splunk Threat Research Team include major U.S financial institutions, telecom organizations and\r\ncryptocurrency exchanges, among others. Although web injects are not new, they are very difficult to detect, and\r\nthey usually defeat most available defenses — PINs, CAPTCHA and even two-factor authentication applications.\r\nThe web inject code is delivered post-compromise via trickbot. Trickbot crimeware is delivered by multiple\r\nmethods from direct malicious links, infected documents, or even direct exploitation of internet-exposed hosts or\r\nlateral movement; Trickbot malware possesses several functions and features that allow usage of different\r\nexploitation methods and post-exploitation payloads.\r\nThe following graphic is an example of an infected document:\r\nhttps://www.splunk.com/en_us/blog/security/detecting-trickbots.html\r\nPage 1 of 5\n\nThis Excel document will download and load a malicious trickbot .dll using rundll32 windows application, as seen\r\nin the next graphic. The macro is written in a hidden xls sheet in white font, so as to be invisible to the user.\r\nOnce this document is executed in a vulnerable host, it proceeds to execute loader and contact Command and\r\nControl servers. It will inject its code to the “wermgr.exe” process to do its malicious routine. Below is a snippet\r\nof procmon CSV logs during the trickbot execution. Notice that the wermgr.exe process was created by the same\r\nrundll32 process that loads the trickbot malware (in this case 1.dll).\r\nhttps://www.splunk.com/en_us/blog/security/detecting-trickbots.html\r\nPage 2 of 5\n\nBy decoding the big encoded string on the trickbot dll loader upon unpacking it in memory, we can see a list of\r\nweb services that trickbot uses to look for the IP address of the infected machines.\r\nThroughout the infection process, Trickbot will also establish persistence. This is done via the creation of a\r\nscheduled task. We also analyzed a trickbot module identified as wormDll64.dll. This module allows trickbot to\r\nmove laterally and collect LDAP information from compromised networks.\r\nThe function below enumerates all servers visible in the windows active directory domain network; it also checks\r\nif the infected machine is part of the workgroup.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-trickbots.html\r\nPage 3 of 5\n\nTrickbot also uses the eternal blue exploitation code. CVE-2017-0144 is a vulnerability that allows remote code\r\nexecution on machines with vulnerable SMB versions.\r\nOther modules from the trickbot analyzed samples — such as systeminfo64.dll, sharedll64.dll, psinf64.dll, and\r\nnetworkdll64.dll — include full system enumeration, LDAP query, and share enumeration which allows trickbot\r\nto copy itself to other systems, shared folders, and download further payloads.\r\nWeb Injects\r\nAs stated previously in this blog, Web Injects are not new. However, they are a very powerful crime tool and very\r\ndifficult to detect. Web Injects can bypass most of the current defenses, including 2FA tools. Before Web Injects\r\ncan be executed, there must be a process of exploitation which can be done via several methods, once the client\r\nhas been infected with trickbot and the Web Inject file is in place. This is a process that is triggered by the victim\r\nbrowsing specific websites which are specified within the Web Inject config file. Then the trickbot proceeds to\r\nexfiltrate data and execute operations on top of the victim’s session to perform fraudulent operations such as\r\ntransferring money from accounts to foreign institutions.\r\nIt is important to understand that in appearance these pages which the victim is visiting look exactly like any other\r\nstandard normal banking session, but in the background the code injected allows attackers to perform different\r\ntypes of operations. In some cases, the Web Injects code, for example, keeps an account balance at its initial\r\namount to the user’s view, even though in the background, money has already been transferred to a different\r\naccount, usually to a foreign financial institution in countries where cybersecurity laws are very lax or where there\r\nis even complicity from destination country’s regime.\r\nInjdll64.dll Web Inject Payload\r\nThis module consists of web injects targeting several banking sites. It creates a namepipe \\.\\pipe\\pidplacesomepipe\r\nwhere “PID” will be changed to the actual target process ID at runtime, which is sometimes four characters (e.g.,\r\n“\\.\\pipe\\1844lacesomepipe”). The payload32.dll (a .dll created during the infection process in this sample) is a\r\npayload that will be decompressed and injected within the browser session through a reflective dll injection\r\ntechnique to do its main task as a banking trojan.\r\nThe following is a snippet snapshot of decrypted trickbot config samples.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-trickbots.html\r\nPage 4 of 5\n\nAs seen in the researched code, the Web Injects principally target login sites for several financial institutions,\r\ncryptocurrency exchanges and telco service providers. In some instances, the targeted URI indicates the targeting\r\nof balances, transfers and account settings. Such sections usually contain the elements necessary to make deposits,\r\nsend transfers or change account settings, such as authentication or private information from account holders.\r\nDetections\r\nThe Splunk Threat Research Team has developed a Trickbot analytic story to address this threat. This story is\r\ncomposed of the following searches:\r\nThe aforementioned current and new detections should help address this threat, with Trickbot being one of the\r\nmain Ransomware carriers. Ongoing campaigns are not only a threat to companies operations; recent incidents\r\nreveal that ransomware has endangered human life, affected many governments and school organizations and even\r\nmilitary bases.\r\nRansomware is now the top priority in cybersecurity. The Splunk Threat Research team will continue addressing\r\nransomware variants and sharing their detection with the community. Please download our latest content at\r\nSplunkbase, or check out our Github repository.\r\nSource: https://www.splunk.com/en_us/blog/security/detecting-trickbots.html\r\nhttps://www.splunk.com/en_us/blog/security/detecting-trickbots.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.splunk.com/en_us/blog/security/detecting-trickbots.html" ], "report_names": [ "detecting-trickbots.html" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438942, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5eac69cc5960cecfd3e3c21e995a7aa873afa008.pdf", "text": "https://archive.orkl.eu/5eac69cc5960cecfd3e3c21e995a7aa873afa008.txt", "img": "https://archive.orkl.eu/5eac69cc5960cecfd3e3c21e995a7aa873afa008.jpg" } }