{
	"id": "52fc8558-b9fa-4c28-ab94-6abda2f319d1",
	"created_at": "2026-04-06T00:13:24.596974Z",
	"updated_at": "2026-04-10T13:11:50.988205Z",
	"deleted_at": null,
	"sha1_hash": "abf0240699b66d74865ddc7d96102eec6a111f4f",
	"title": "ESET takes part in global operation to disrupt Trickbot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 489212,
	"plain_text": "ESET takes part in global operation to disrupt Trickbot\r\nBy Jean-Ian Boutin\r\nArchived: 2026-04-05 15:59:01 UTC\r\nESET has collaborated with partners Microsoft, Lumen’s Black Lotus Labs, NTT Ltd. and others in an attempt to\r\ndisrupt Trickbot botnets. ESET contributed to the project by providing technical analysis, statistical information,\r\nand known command and control server domain names and IPs.\r\nTrickbot has infested over a million computing devices around the world since late 2016 and we have been\r\ntracking its activities since the beginning. In 2020 alone, our automatic platform analyzed more than 125,000\r\nmalicious samples and downloaded and decrypted more than 40,000 configuration files used by the different\r\nTrickbot modules, giving us an excellent viewpoint of the different C\u0026C servers used by this botnet.\r\nTrickbot, a long-lasting botnet\r\nTrickbot has been a major nuisance for internet users for a long time. ESET’s first detection for Trickbot was\r\ncreated in late 2016. During these years, Trickbot compromises have been reported in a steady manner, making it\r\none of the largest and longest-lived botnets out there. As reported in our Threat Report Q1 2020, Trickbot is one of\r\nthe most prevalent banking malware families. As seen in Figure 1, ESET telemetry data shows that this malware\r\nstrain represents a threat for internet users globally.\r\nFigure 1. Worldwide Trickbot detections between October 2019 and October 2020\r\nThroughout its existence, Trickbot malware has been distributed in a number of ways. Recently, a chain we\r\nobserved frequently is Trickbot being dropped on systems already compromised by Emotet, another large botnet.\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 1 of 13\n\nIn the past, Trickbot malware was leveraged by its operators mostly as a banking trojan, stealing credentials from\r\nonline bank accounts and trying to perform fraudulent transfers.\r\nTrickbot’s modular architecture allows it to perform a vast array of malicious actions using a variety of plugins. It\r\ncan steal all kinds of credentials from a compromised computer and, more recently, has been observed mostly as a\r\ndelivery mechanism for more damaging attacks, such as ransomware.\r\nOne of the oldest plugins developed for the platform allows Trickbot to use web injects, a technique allowing the\r\nmalware to dynamically change what the user of a compromised system sees when visiting specific websites. To\r\noperate, this plugin relies on configuration files downloaded by the main module. These contain information about\r\nwhich websites should be modified and how. Figure 2 shows an excerpt of one such decrypted configuration file\r\ncontaining targeted URLs and the malicious C\u0026C URLs the bot should contact upon the victim accessing the\r\ntargeted URLs.\r\n\u003cdinj\u003e\r\n\u003clm\u003ehttps://\u003ctargeted URL\u003e/retail/*\u003c/lm\u003e\r\n\u003chl\u003ehttps://195.123.241[.]63:446/response.php?s=1595536873511390\u0026id=f93fXZS6rZ70s42y9uVI\u003c/hl\u003e\r\n\u003cpri\u003e100\u003c/pri\u003e\r\n\u003csq\u003e2\u003c/sq\u003e\r\n\u003crequire_header\u003e*text/html*\u003c/require_header\u003e\r\n\u003c/dinj\u003e\r\n\u003cdinj\u003e\r\n\u003clm\u003ehttps://\u003ctargeted URL\u003e/wps/*\u003c/lm\u003e\r\n\u003chl\u003ehttps://195.123.241[.]63:446/response.php?s=1595536873511390\u0026id=IbvDEzyn1zHm5Bqcse2V\u003c/hl\u003e\r\n\u003cpri\u003e100\u003c/pri\u003e\r\n\u003csq\u003e2\u003c/sq\u003e\r\n\u003crequire_header\u003e*text/html*\u003c/require_header\u003e\r\n\u003c/dinj\u003e\r\n\u003cdinj\u003e\r\n\u003clm\u003ehttps://\u003ctargeted URL\u003e/ibank/*\u003c/lm\u003e\r\n\u003chl\u003ehttps://195.123.241[.]63:446/response.php?s=1595536873511390\u0026id=4hXQ3ZPSm9OQIKyMQaYZ\u003c/hl\u003e\r\n\u003cpri\u003e100\u003c/pri\u003e\r\n\u003csq\u003e2\u003c/sq\u003e\r\n\u003crequire_header\u003e*text/html*\u003c/require_header\u003e\r\n\u003c/dinj\u003e\r\nFigure 2. Excerpt of a decrypted dinj configuration file (redacted)\r\nThrough our monitoring of Trickbot campaigns, we collected tens of thousands of different configuration files,\r\nallowing us to know which websites were targeted by Trickbot’s operators. Figure 3 shows the number of websites\r\nextracted from configuration files in 2020.\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 2 of 13\n\nFigure 3. Number of targeted websites in 2020\r\nThese targeted URLs mostly belong to financial institutions. There is a sharp drop in the number of targets found\r\nin these configuration files starting in March. This coincides with the moment when Trickbot operators dropped\r\nthe webinject module from the list of default plugins downloaded automatically by the main module — this is\r\nwhy we have no data in March; we had to adjust our processes to maintain visibility on the targeted URLs. This\r\ndrop in number of targets is likely due to the Trickbot gang starting to focus on another means of monetization\r\nduring that time frame: ransomware.\r\nIn these cases, a Trickbot compromise is first leveraged to perform reconnaissance and lateral movement in an\r\norganization’s network and then to drop Ryuk ransomware on as many systems as possible. From the data we have\r\ncollected, it appears that Trickbot’s operators moved from attempting to steal money from bank accounts, to\r\ncompromising a whole organization with Trickbot and then using it to execute Ryuk and demand a ransom to\r\nunlock the affected systems.\r\nWe also observed new malware development projects allegedly coming from Trickbot’s operators, which might\r\nalso explain their sudden disinterest in operating Trickbot as a banking trojan. One of these projects is the so-called Anchor project, a platform mostly geared towards espionage rather than crimeware. They are also likely\r\ninvolved in the development of the Bazar malware — a loader and backdoor used to deploy malware, such as\r\nransomware, and to steal sensitive data from compromised systems.\r\nTrickbot deep dive\r\nWhat makes Trickbot so versatile is that its functionalities can be greatly extended with plugins. Throughout our\r\ntracking, we were able to collect and analyze 28 different plugins. Some are meant to harvest passwords from\r\nbrowsers, email clients and a variety of applications, while others can modify network traffic or self-propagate.\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 3 of 13\n\nTrickbot plugins are implemented as standard Windows DLLs, usually with at least these four distinctive exports:\r\nStart, Control, Release and FreeBuffer.\r\nInterestingly, some have Rich headers while some do not. Rich headers are an undocumented data structure added\r\nto all binaries built by Microsoft Visual Studio 97 SP3 or later. They contain information about the development\r\nenvironment where the executable was built. The fact that Rich headers are not always present in plugins — and\r\nthat when they are present, they show different development environments — leads us to believe that these\r\nplugins were written by different developers.\r\nWe did not observe many different samples of the different plugins once they were developed and used in the\r\nwild. The ones that changed the most are those containing a static configuration file embedded in the binary.\r\nThese static configuration files contain, among other things, C\u0026C server information, so it is expected to see these\r\nchange over time. Figure 4 displays the number of variations we saw for each module we collected through our\r\nbotnet tracker platform. Most of the newer modules’ variants come in pairs: about half of the collected modules\r\nwere 32-bit versions, while the other half were the 64-bit versions. In the Appendix you can find a brief\r\ndescription of each of these modules.\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 4 of 13\n\nFigure 4. Variant count for each Trickbot plugin\r\nConfiguration files for everyone\r\nAlthough there are potentially many different downloaded configuration files present in a Trickbot installation, the\r\nmain module contains an encrypted, hardcoded configuration. This contains a list of C\u0026C servers as well as a\r\ndefault list of plugins that should be download.\r\nAs mentioned earlier, some plugins also rely on configuration files to operate properly. These plugins rely on the\r\nmain module to download these configuration files from the C\u0026C servers. Plugins achieve this by passing a small\r\nmodule configuration structure, stored in the plugin binary’s overlay section, that lets the main module know what\r\nit should download.\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 5 of 13\n\nBeing able to gather these configuration files allowed us to map the network infrastructure of Trickbot. The main\r\nmodule uses its list of hardcoded C\u0026C servers and connects to one of them to download a second list of C\u0026C\r\nservers, the so-called psrv list. The main module contacts this second layer of C\u0026C servers to download the\r\ndefault plugins specified in the hardcoded configuration file. Other modules can be downloaded later upon\r\nreceiving a command to do so from the Trickbot operators. Some of the plugins, such as the injectDll plugin, for\r\nexample, have their own C\u0026C servers, which contain configuration files. Finally, there are dedicated C\u0026C servers\r\nfor plugins. The most prevalent of them are so-called dpost servers, used to exfiltrate stolen data such as\r\ncredentials but, as detailed in the Appendix, others exist. All these different layers make the disruption effort more\r\nchallenging. Figure 5 illustrates this initial communication process.\r\nFigure 5. Trickbot network communication process\r\nWe have been tracking these different C\u0026C servers since early 2017. This knowledge was, of course, vital in the\r\ndisruption effort, since we were able to contribute to mapping the network infrastructure used by the malicious\r\nactors.\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 6 of 13\n\nAnother interesting artifact we were able to gather through crawling this botnet is the unique identifier present in\r\neach Trickbot sample, the so-called gtag. This a string present in the initial hardcoded configuration file\r\nidentifying different Trickbot campaigns or modes of compromise. For example, the mor campaigns are believed\r\nto be Trickbot compromises due to Emotet. gtags can also sometimes indicate the target of a campaign. A good\r\nexample is uk03-1, which predominantly targeted financial institutions in the United Kingdom.\r\nFigure 6 presents a timeline of all gtags we extracted from Trickbot configuration files from September 2019 to\r\nSeptember 2020. Looking at the mor group, we can see the abrupt stop of the Emotet campaigns in April 2020.\r\nThere are also some groups that are used by specific modules. The tot, jim and lib groups are some of the most\r\ncontinuously seen gtags and are associated with the mshare, nworm/mworm and tab modules respectively,\r\naccording to a recent Unit42 blogpost. As all of these are used for lateral movement, it is not surprising to see a\r\nmostly constant line in their timeline.\r\nFigure 6. gtags group timeline\r\nTrying to disrupt an elusive threat such as Trickbot is very challenging and complex. It has various fallback\r\nmechanisms and its interconnection with other highly active cybercriminal actors in the underground makes the\r\noverall operation extremely complex. We will continue to track this threat and assess the impact that such actions\r\ncan have on such a sprawling botnet in the long run.\r\nSpecial thanks to Jakub Tomanek, Jozef Dúc, Zoltán Rusnák and Filip Mazán\r\nESET detection names\r\nWin32/TrickBot\r\nWin64/TrickBot\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 7 of 13\n\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 7 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1566.001\r\nPhishing:\r\nSpearphishing\r\nAttachment\r\nTrickbot has used an email with an Excel sheet\r\ncontaining a malicious macro to deploy the\r\nmalware.\r\nExecution\r\nT1059.003\r\nCommand and\r\nScripting Interpreter:\r\nWindows Command\r\nShell\r\nTrickbot has used cmd.exe /c to download and\r\ndeploy the malware on the user’s machine.\r\nT1059.005\r\nCommand and\r\nScripting Interpreter:\r\nVisual Basic\r\nTrickbot has used macros in Excel documents to\r\ndownload and deploy the malware on the user’s\r\nmachine.\r\nT1106 Native API\r\nTrickbot uses the Windows API CreateProcessW to\r\nmanage execution flow.\r\nT1204.002\r\nUser Execution:\r\nMalicious File\r\nTrickbot has attempted to get users to launch a\r\nmalicious Excel attachment to deliver its payload.\r\nT1059.007\r\nCommand and\r\nScripting Interpreter:\r\nJavaScript/Jscript\r\nTrickbot group used obfuscated JavaScript to\r\ndownload Trickbot loader.\r\nT1559.001\r\nInter-Process\r\nCommunication:\r\nComponent Object\r\nModel\r\nTrickbot used COM to setup scheduled task for\r\npersistence.\r\nPersistence\r\nT1547.001\r\nBoot or Logon\r\nAutostart Execution:\r\nRegistry Run Keys /\r\nStartup Folder\r\nTrickbot establishes persistence in the Startup\r\nfolder.\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nTrickbot creates a scheduled task on the system that\r\nprovides persistence.\r\nPrivilege\r\nEscalation\r\nT1055.012\r\nProcess Injection:\r\nProcess Hollowing\r\nTrickbot injects into the svchost.exe process.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nTrickbot decodes its configuration data and\r\nmodules.\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 8 of 13\n\nTactic ID Name Description\r\nT1562.001\r\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nTrickbot can disable Windows Defender.\r\nT1112 Modify Registry Trickbot can modify registry entries.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nTrickbot uses non-descriptive names to hide\r\nfunctionality and uses an AES-CBC (256 bits)\r\nencryption algorithm for its loader and\r\nconfiguration files.\r\nT1027.002 Software Packing\r\nTrickbot leverages a custom packer to obfuscate its\r\nfunctionality.\r\nT1553 Subvert Trust Controls\r\nTrickbot uses signed loaders with stolen valid\r\ncertificates.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from\r\nPassword Stores:\r\nCredentials from Web\r\nBrowsers\r\nTrickbot can obtain passwords stored by web\r\nbrowsers such as Chrome, Firefox, Internet\r\nExplorer, and Microsoft Edge.\r\nT1056.004\r\nInput Capture:\r\nCredential API\r\nHooking\r\nTrickbot has the ability to capture RDP credentials\r\nby capturing the CredEnumerateA API.\r\nT1552.001\r\nUnsecured Credentials:\r\nCredentials In Files\r\nTrickbot can obtain passwords stored by several\r\napplications such as Outlook, Filezilla, and\r\nWinSCP. Additionally, it searches for the .vnc.lnk\r\nsuffix to steal VNC credentials.\r\nT1552.002\r\nUnsecured Credentials:\r\nCredentials in Registry\r\nTrickbot can retrieve PuTTY credentials from the\r\nSoftware\\SimonTatham\\Putty\\Sessions registry key.\r\nT1110 Brute Force\r\nTrickbot uses brute-force attack against RDP with\r\nrdpscanDll module.\r\nDiscovery\r\nT1087.001\r\nAccount Discovery:\r\nLocal Account\r\nTrickbot collects the users of the system.\r\nT1087.003\r\nAccount Discovery:\r\nEmail Account\r\nTrickbot collects email addresses from Outlook.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nTrickbot gathers the OS version, CPU type, amount\r\nof RAM available from the victim’s machine.\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 9 of 13\n\nTactic ID Name Description\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nTrickbot searches the system for all of the following\r\nfile extensions: .avi, .mov, .mkv, .mpeg, .mpeg4,\r\n.mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif,\r\n.tiff, .ico, .xlsx, and .zip. It can also obtain browsing\r\nhistory, cookies, and plugin information.\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nTrickbot obtains the IP address and other relevant\r\nnetwork information from the victim’s machine.\r\nT1007\r\nSystem Service\r\nDiscovery\r\nTrickbot collects a list of installed programs and\r\nservices on the system’s machine.\r\nT1135\r\nNetwork Share\r\nDiscovery\r\nTrickbot module shareDll/mshareDll discovers\r\nnetwork shares via the WNetOpenEnumA API.\r\nT1057 Process Discovery\r\nTrickbot uses module networkDll for process list\r\ndiscovery.\r\nLateral\r\nMovement\r\nT1210\r\nExploitation of Remote\r\nServices\r\nTrickbot utilizes EthernalBlue and\r\nEthernalRomance exploits for lateral movement in\r\nthe modules wormwinDll, wormDll, mwormDll,\r\nnwormDll, tabDll.\r\nCollection\r\nT1005\r\nData from Local\r\nSystem\r\nTrickbot collects local files and information from\r\nthe victim’s local machine.\r\nT1185 Man in the Browser\r\nTrickbot uses web injects and browser redirection to\r\ntrick victims into providing their login credentials\r\non a fake or modified web page.\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nTrickbot uses HTTPS to communicate with its C\u0026C\r\nservers, to get malware updates, modules that\r\nperform most of the malware logic and various\r\nconfiguration files.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric\r\nCryptography\r\nTrickbot uses a custom crypter leveraging\r\nMicrosoft’s CryptoAPI to encrypt C\u0026C traffic.\r\nT1105 Ingress Tool Transfer\r\nTrickbot downloads several additional files and\r\nsaves them to the victim’s machine.\r\nT1571 Non-Standard Port\r\nSome Trickbot samples have used HTTP over ports\r\n447 and 8082 for C\u0026C.\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 10 of 13\n\nTactic ID Name Description\r\nT1219\r\nRemote Access\r\nSoftware\r\nTrickbot uses vncDll module to remote control the\r\nvictim machine.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nTrickbot exfiltrates data over the C\u0026C channel\r\nusing HTTP POST requests.\r\nAppendix\r\nLateral movement modules\r\nshareDll, mshareDll, tshareDll\r\nModules used to propagate Trickbot loader to connected network shares of the victimized machine.\r\nwormwinDll, wormDll, mwormDll, nwormDll\r\nModules used for spreading inside a local network of compromised machines via SMB. It uses the\r\nEternalBlue exploit.\r\ntabDll\r\nModule used to spread into the network using the EternalRomance exploit.\r\nInfostealers\r\npwgrab\r\nPassword stealer module.\r\nsysteminfo\r\nModule used for gathering information about the victim machine.\r\ndomainDll\r\nModule used for stealing credentials and other data from the Domain Controller via LDAP.\r\nnetworkDll\r\nModule used to collect system information and network topology.\r\noutlookDll\r\nModule used for stealing credentials from Microsoft Outlook.\r\nimportDll\r\nModule used for stealing browser information such as cookies, browser history, configurations.\r\nmailsearcher\r\nModule used to search for files on the victim machine against a list of hardcoded extensions\r\n(documents, images, video).\r\ncookiesDll\r\nWeb browser cookie stealer module.\r\nsqulDll\r\nModule used to harvest email addresses from the SQL server and scrape credentials from the\r\nafflicted system with the Mimikatz utility.\r\naDll\r\nSteals Active Directory database.\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 11 of 13\n\npsfin\r\nModule queries the Active Directory for specific string constants which are related to Point-of-Sale\r\nsoftware.\r\nNetwork abuse\r\ninjectDll\r\nWebinject module.\r\nNewBCtestDll, NewBCtestnDll\r\nModule that is a reverse proxy and is able to execute commands.\r\nvncDll\r\nModule used as a RAT on the victim machine.\r\nvpnDll\r\nModule used to create VPN proxy routed to a given address.\r\nrdpscanDll\r\nModule used for brute forcing RDP on a certain list of targets.\r\nbcClientDllTestTest\r\nAn old module used to proxy Trickbot operator traffic through a victim machine.\r\nshadnewDll\r\nMan-in-the-Browser module. It contains a full implementation of IcedID main module. It can\r\nintercept web traffic on the victim machine.\r\nOther\r\nmexecDll\r\nGeneral purpose “download and execute” module.\r\nModule names Sub-config Rich headers\r\nshareDll, mshareDll, tshareDll NO\r\nwormwinDll, wormDll, mwormDll, nwormDll NO\r\ntabDll dpost YES\r\npwgrab dpost YES\r\nsysteminfo YES\r\ndomainDll NO\r\nnetworkDll dpost YES\r\noutlookDll NO\r\nimportDll NO\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 12 of 13\n\nModule names Sub-config Rich headers\r\nmailsearcher mailconf NO\r\ncookiesDll dpost YES\r\nsqulDll YES\r\naDll YES\r\npsfin dpost YES\r\ninjectDll dinj, sinj, dpost YES/NO\r\nNewBCtestDll, NewBCtestnDll bcconfig3 YES\r\nvncDll vncconf YES\r\nvpnDll vpnsrv YES\r\nrdpscanDll srv YES\r\nbcClientDllTestTest YES\r\nshadnewDll dom YES\r\nmexecDll YES\r\nUseful links:\r\nMicrosoft blog post: https://blogs.microsoft.com/on-the-issues/?p=64132\r\nSource: https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nhttps://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/"
	],
	"report_names": [
		"eset-takes-part-global-operation-disrupt-trickbot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434404,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/abf0240699b66d74865ddc7d96102eec6a111f4f.pdf",
		"text": "https://archive.orkl.eu/abf0240699b66d74865ddc7d96102eec6a111f4f.txt",
		"img": "https://archive.orkl.eu/abf0240699b66d74865ddc7d96102eec6a111f4f.jpg"
	}
}