{
	"id": "2b02c9e7-e8c2-463d-be73-e31e1e0de7ea",
	"created_at": "2026-04-06T00:15:38.180816Z",
	"updated_at": "2026-04-10T13:11:46.662198Z",
	"deleted_at": null,
	"sha1_hash": "b210d9f1796b43afed3c91570536c00b55e0f997",
	"title": "Trickbot — a concise treatise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1193549,
	"plain_text": "Trickbot — a concise treatise\r\nBy Vishal Thakur\r\nPublished: 2021-07-13 · Archived: 2026-04-05 23:04:43 UTC\r\n12 min read\r\nApr 4, 2019\r\nPost-execution scope of impact and threatscape details of a sophisticated malware\r\nFirst Edition, April 2019\r\nVishal Thakur\r\nIf you want to support me, follow me on Patreon: https://www.patreon.com/malienist\r\nIntroduction\r\nSince its initial release, Trickbot has been an advanced, modular malware, built on complex, well-written code and\r\nbacked by continuous improvement and on-going development. The modular structure of the code is the most\r\nimportant part of this malware. Other than giving it a clearly defined and segmented flow, it allows the authors to\r\nhave the ability to add new modules with new purposes to the existing malware, which they have been doing\r\nregularly throughout the history of the malware. Trickbot is a beautiful piece of code, used for malicious purposes.\r\nTechnical analysis of this malware has been published throughout its existence in the wild and there are some\r\ngood, detailed publishings that are available on the internet that go into great technical details regarding the inner\r\nworkings of the code and flow of Trickbot. Here’s one of my earlier publications that goes into the flow of\r\nexecution for Trickbot. This should give the audience a pretty good basic idea of how it operates. Another really\r\ngood resource on Trickbot is the research published by hasherezade at MalwareBytes and GitHub.\r\nNOTE: In this edition, we look at some never-before published information about this malware. These a\r\nIn this publication, the focus is on the post-exploitation scenario and also the overall reach and distribution of the\r\npayload itself. There are a few things that stand out particularly around the targeting of the external entities and\r\nthe ways it is achieved through some ingenious techniques applied by the authors, mainly in the target list in the\r\nconfig. We’ll also try to break down the targeting strategy by regions, industry etc. This will allow us to\r\nunderstand the bigger impact that this malware can inflict on the victims and the companies/services/businesses\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 1 of 16\n\nthat are the final true target for the distributors. We also look at gathering threat intelligence based on the IOCs,\r\nfeatures, geo-locations and techniques that are discovered through deep analysis of the final payload.\r\nNOTE: None of the websites, companies or services mentioned in this publication have vulnerabilities\r\nTrickbot Targets, a history of\r\nThe target configs have evolved over time. As Trickbot started gaining ground in the banking malware field back\r\nin 2016, new targets were added to the config regularly. At first, it was mainly focused around banks in different\r\nregions and the MalActors kept expanding that list, adding new banks to the config every month. At one point in\r\ntime, it covered banks in a surprisingly diverse geo-location set. There were banks from America, Europe,\r\nAustralia and Asia (mainly Indian banks like ICICI, HDFC etc) that were included in the configs and being\r\nactively targeted by this malware. At some point later, the MalActors probably came to realise that they would be\r\nbetter off focussing their efforts in the western world, mainly to maximise their profits.\r\nWe saw a great focus from the very start on Australian and NZ banking institutions when it came to the target\r\nconfigs. At one time, most of the top-tier and second-tier banks in Australia were being targeted by this malware.\r\nAlso, its been reported in the past that Australian region was one of the first regions to see deployment of this\r\nmalware, when it was first released. A very interesting thing to note is that only one Australian bank still remains\r\nin the target list — CBA (it is also one of the first banks to be targeted originally, when Trickbot first made\r\nappearance in the wild).\r\nAll major banks of the world have been targets since the beginning and most of them are still there.\r\nChange of direction — Interesting new targets\r\nA s we dive deeper into the inner workings and techniques of this malware, we discover many interesting things\r\nabout the way it has been designed to function as framework for stealing sensitive information and converting that\r\ndata into a revenue generating process.\r\nApart from the straight-forward banking targets, where the MalActors are able to steal money from the victims’\r\naccounts, it is interesting to see that they have started targeting entities that are not banks but hold very important\r\ninformation. Information that can be used to gain access to other entities, can be sold for a substantial dollar\r\nvalue or simply used for profiling victims or extortion.\r\nThese are the non-banking targets that we found to be interesting:\r\nPayroll\r\nThese sites are targeted to gain access to victims’ payroll information. Information such as salary slips (which give\r\nout more than just salary info) and tax-related documents can be obtained from these sites. This info is highly\r\nsensitive and very personal. The MalActors can use this info in many ways. Having knowledge of someone’s\r\npersonal finance can be leveraged in many obvious and not-so-obvious ways. For example, this info can be then\r\nused to craft up special ransomware to target these individuals and then the ransom amount can be set in\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 2 of 16\n\naccordance with their ability to pay. We can see that there are three such service providers that are targeted\r\ncurrently:\r\nADP — adp.com\r\nhttps://*runpayroll.adp.com/*PAYCHEX — paychex.com/\r\nhttps://myapps.paychex.com/*_remote/*SurePayroll - surepayroll.com\r\nhttps://secure.surepayroll.com/SPF/Login/Auth.aspx\r\nOne of the payroll services targeted\r\nRecords\r\nThis one was a big surprise. These are companies that provide access to records that cover a huge landscape which\r\nincludes, but is not restricted to, legal information, debt-collection, law enforcement related information,\r\nhealthcare, insurance, government, corporates and more. What exactly are they planning to do with this\r\ninformation is anyone’s guess and not a hard one at that. It looks like they are trying to get into these systems\r\nwithout having to pay for it and then not having to worry about any of it being traced back to them if or when they\r\nend up using this information illegally. Although there’s no direct financial gain by targeting these services, the\r\ninformation extracted by using these services can be very valuable. Again, obvious use-cases that come to mind\r\nare selling this info on the dark web and/or extortion.\r\nThese are the two services that are targeted for records:\r\naccurint.com\r\nlexisnexis.com\r\nFinance\r\nTargets in this category are not that big a surprise and are the closest in nature to the biggest target category,\r\nbanking. These site include share-trading platforms, money-exchange websites etc. The financial gain the\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 3 of 16\n\nMalActors are going for seems to be quite straight-forward — money. If they are successful in getting access to\r\nthe victims’ accounts, they then have the ability to transfer funds out of these accounts.\r\neTrade.com\r\nnetteller.com\r\nfundsxpress.com\r\ndiscover.com\r\nameritrade.com\r\ndesjardins.com\r\nschwab.com\r\nBitexchange\r\nThis one is interesting — it’s a crypto currency exchange. Now, the currency itself is not doing as well as it was a\r\nwhile back but the potential money these exchanges hold is quite staggering. There are a lot of people (I’m\r\nlooking at you) that are waiting for the next boom to happen! At this time, we can see one bitexchange in the\r\ntarget list and it is fully functional (no point in targeting mt. gox).\r\nbinance.com\r\nBinance — a BitExchange target\r\nFleet Management\r\nThis is another interesting entry — fleetone.com. Its hard to tell what exactly the MalActors stand to gain from\r\nthis site, other than the obvious information stealing, which can then be used in many different ways. The most\r\nbeneficial and lucrative way to monetise this information is phishing emails sent to users, with some financial\r\nangle, based on the financial activity found on this website.\r\nfleetone.com\r\nHospitality\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 4 of 16\n\nOne of the targets happens to be a hotel chain with over 6800 hotels globally. Its hard to tell if the MalActors are\r\ngoing after the saved PI belonging to the users or their loyalty credits. Most probably both, as the PI can be used\r\nin a number of ways to monetise the stolen information and at the same time, loyalty credits can sold/exchanged\r\nfor financial gain. It is interesting to see they have picked only one hotel chain at this time, as this indicates this\r\ncould be a test run and we could see more hotels added to this list, based on the results of this campaign.\r\nchoicehotels.com\r\neCommerce\r\nThese have been a target for a long time. At the time of this publication, there are two eCommerce targets and they\r\nare the biggest players in the game. You guessed it, Amazon and eBay.\r\nTrickbot targets by Industry\r\nBanking still constitutes the biggest part of the target list and for obvious reasons. As noted above though, there\r\nhas been a big shift back to the western banking institutions and Asian banks are completely out of the list.\r\nFinancial services industry targets have grown and have an interesting mix of trading platforms and money\r\nexchange services.\r\nMost interesting segments are the records services and the payroll services. These can be the most devastating\r\ntargets from the victims’ point of view as they can be used for far more devious purposes than just financial gain.\r\nHere’s a chart that gives us an idea of the target segment sizes by industries:\r\nPress enter or click to view image in full size\r\nTargets by industry\r\nTrickbot targets by Geo-location\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 5 of 16\n\nThe biggest chunk of the targets are located in the US, closely followed by Europe. There are a few Canadian\r\ntargets and the lowest number is Australian. At this time, New Zealand and India have completely dropped off the\r\nlist.\r\nGermany has the highest number of targets in the list in the European region, followed by Austria and Spain.\r\nGet Vishal Thakur’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nMost of the non-banking targets are US-based.\r\nPress enter or click to view image in full size\r\nTrickbot target banks by country\r\nSince banking still is the largest part of the target scope for Trickbot, it is a good idea to break it down based on\r\nthe country of operation. This list is ever-changing but the bulk of these institutions remain in the list for at least a\r\nwhile.\r\nUSA\r\nnwolb.com\r\npartnersfcu.org\r\nvectrabank.com\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 6 of 16\n\nbank.bbt.com\r\nonline.citi.com\r\nsecurentrycorp.zionsbank.com\r\ncibc.com\r\ncapitalonebank.com\r\nhuntington.com\r\nbawagpsk.com\r\ncalbanktrust.com\r\nmtb.com\r\nusbank.com\r\njpmorgan.com\r\nnavyfederal.org\r\nchase.com\r\nweb*.secureinternetbank.com (multiple targets)\r\nbbvacompass.com\r\nusaa.com\r\nwellsfargo.com\r\nsecurentrycorp.nbarizona.com\r\npnc.com\r\ncapitalone.com\r\nsuntrust.com\r\nonepass.regions.com\r\ntdbank.com\r\nbankofamerica.com\r\nkey.com\r\nexpress.53.com**see the extended list for wild-card targets\r\nGermany\r\nsparda.de\r\ncomdirect.de\r\nnetbank.de\r\ncommerzbank.de\r\nfidor.de\r\ndeutsche-bank.de\r\nksk-koeln.de\r\nhaspa.de\r\nconsorsbank.de\r\ndkb.de\r\npostbank.de\r\ntargobank.de\r\nsantander.de\r\nberliner-bank.de\r\nnorisbank.de\r\nhypovereinsbank.de\r\nlzo.com/de**see the extended list for wild-card targets\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 7 of 16\n\nAustria\r\nraiffeisen.at\r\nbankaustria.at\r\nsparkasse.at\r\nCanada\r\nbnc.ca\r\ntangerine.ca\r\nscotiabank.com\r\nUK\r\nlloydsbank.co.uk\r\nrbsdigital.com\r\nulsterbankanytimebanking.co.uk\r\nsecure.halifax-online.co.uk\r\nAustralia\r\ncommbank.com.au\r\nWildcards\r\nWhile analysing the config, one of the first things that leaps out at you is the excessive use of wildcards in the\r\ntarget URIs. The entire config is full of them. There are wild-carded URIs specific to target entities and then there\r\nare more that are non-specific, very general in nature, based purely on substrings. These are the interesting ones.\r\nThe use of wild-carded URIs increases the scope of the targets for this malware, significantly. For example, the\r\nentry “/wcmfd/wcmpw/CustomerLogin” returns at least 8 targets at the time of this writing. On the other hand,\r\nthe entry “https://*/uux.aspx” returns a possible target list that stretches to more than a hundred websites, at the\r\ntime of this writing. This is a very important piece of information that needs to be factored in when researching\r\nthe broader targeting of online entities by Trickbot.\r\nIf we keep digging in and adding up the potential targeting including the broader, extended lists of\r\nHere are some examples of Wild-carded URI targeting:\r\n/Authentication/Login* —\r\n*/Accounts/AccountOverview.asp*\r\n.com/pub/html/login.html*\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 8 of 16\n\n*engine/login/businesslogin*\r\n/business/login/Login.jsp*\r\nbanking-business/portal*\r\n*portal/*portal*\r\nhttps://*.de/*/entry*\r\n*ortal?bankid=*\r\nWild-card: /wcmfd/wcmpw/CustomerLogin*\r\n— Extended targets:\r\nPress enter or click to view image in full size\r\nWild-card: https://*ptlweb/WebPortal*\r\n— Extended targets:\r\nExtended (wildcards) list of German banks:http://webapp.de/ptlweb/WebPortal*\r\nhttps://www.vbinswf.de/ptlweb/WebPortal*\r\nhttps://www.gls-online-filiale.de/ptlweb/WebPortal\r\nhttp://webapp.de/ptlweb/WebPortal\r\nhttps://www.vriz.de/ptlweb/WebPortal\r\nwww.vbrbinvorpommern.de/ptlweb/WebPortal\r\nhttps://www.vbga.de/ptlweb/WebPortal\r\nhttps://www.gls-online-filiale.de/ptlweb/WebPortal\r\nwww.vrbankrheinsieg.de/ptlweb/WebPortal\r\nhttps://www.apobank.de/ptlweb/WebPortal\r\nhttps://www.raibalauenburg.de/ptlweb/WebPortal\r\nhttps://internetbanking.gad.de/ptlweb/WebPortal\r\nhttps://www.ethikbanken.de/ptlweb/WebPortal\r\nhttps://www.vbloeningen.de/ptlweb/WebPortal\r\nhttps://www.vr-bank-westmuensterland.de/ptlweb/WebPortal\r\nhttps://www.vtb-direktbank.de/ptlweb/WebPortal\r\nhttps://www.vb-niers.de/ptlweb/WebPortal\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 9 of 16\n\nwww.kd-bank.de/ptlweb/WebPortal\r\nhttps://banking.steylerbank.de/ptlweb/WebPortal\r\nhttps://www.eu-banking.de/ptlweb/WebPortal\r\nhttps://onlinebanking.bank11.de/ptlweb/WebPortal\r\nhttps://www.vbnh.de/ptlweb/WebPortal\r\nhttps://www.voba-bigge-lenne.de/ptlweb/WebPortalVolksbank - subsidiaries/branches:https://www.husume\r\nhttps://www.volksbank-koeln-bonn.de/ptlweb/WebPortal\r\nwww.volksbank-erft.de/ptlweb/WebPortal\r\nhttps://www.volksbank-kleverland.de/ptlweb/WebPortal\r\nhttps://www.dervolksbanker.de/ptlweb/WebPortal76\r\nWild-card: https://*/uux.aspx\r\n— Extended targets:\r\nPress enter or click to view image in full size\r\nThe full list of the targets covered by this wild-card:\r\nExtended list (wildcards) of US banks:savvyatdubuquebank.com/DubuqueBankandTrustOnline/uux.aspx\r\nsavvyatrmbank.com/rockymountainbankonline/Uux.aspx\r\ninternetbanking.tcunet.com/TeachersCreditUnionOnline/Uux.aspx\r\nmyibc.com/ibconline_40/uux.aspx\r\ngreateriowacuonline.org/greateriowacuonline_41/Uux.aspx\r\nonlinebanking.avidbank.com/avidbankonline_40/Uux.aspx\r\nebanking.unifyfcu.com/ufcuonline/Uux.aspx\r\nonline.sesloc.org/SeslocFederalCreditUnionOnline/uux.aspx\r\nsecure.nbkc.com/nbkcbankonline/Uux.aspx\r\nwww.citadelonlinebanking.com/citadelonline/uux.aspx\r\ndigital.visionsfcu.org/visionsfcu/uux.aspx\r\nfoundersonline.foundersfcu.com/ffcuonline/uux.aspx\r\nonline.chartway.com/chartwayonline/uux.aspx\r\nwww.mytrustmark.com/TrustmarkNationalBankOnline/Uux.aspx\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 10 of 16\n\nsecure.eccu.org/eccuonline/Uux.aspx\r\nonlinebanking.mefcudirect.com/MEFCUOnline/Uux.aspx\r\nonlinebanking.robinsfcu.org/robinsfcuonline_40/Uux.aspx\r\nlacapfcu.com/LCFCUOnline/Uux.aspx\r\nsecurebanking.fsnb.com/thefortsillnationalbankonline/Uux.aspx\r\nsecure5.onlineaccess1.com/siucuonline/UUX.aspx\r\nsavvyatwisconsinbankandtrust.com/wisconsinbankandtrustonline/Uux.aspx\r\nfxonline.thebankhere.com/fairfaxstatesavingsbankonline_41/Uux.aspx\r\nonline.asbhawaii.com/americansavingsbankfsbonline/Uux.aspx\r\nsavvyatillinoisbank.com/IllinoisBankandTrustOnline/Uux.aspx\r\ncitynet.cnb1901.com/tcnbloonline/uux.aspx\r\nonline.inwoodbank.com/InwoodNationalBankOnline/uux.aspx\r\ninternet-banking.nusenda.org/NusendaCUOnline_41/uux.aspx\r\nonline.umpquabank.com/UmpquaBankOnline/Uux.aspx\r\nonline.dfcufinancial.com/dfcufinancialonline/Uux.aspx\r\nsecure.mybanktx.com/CNBTTXOnline_41/UUX.aspx\r\nebanking.nwcu.com/northwestcommunitycuonline/uux.aspx\r\nhomebanking.cypruscu.com/cypruscredituniononline/Uux.aspx\r\nffinsecure.com/ffinonline_41/uux.aspx\r\nonlinebanking.interracu.com/InterraCreditUnionOnline_40/uux.aspx\r\nonline.uhcu.org/uhcuonline_41/uux.aspx\r\nonline.navyarmyccu.com/NavyArmyCCU/uux.aspx\r\nonline.starfinancial.com/StarFinancialOnline/Uux.aspx\r\ndigitalbanking.firstcitizens.com/FCBTCOnline/uux.aspx\r\nsecure.4frontcu.com/4frontcuonline/Uux.aspx\r\ndigital.gulfbank.com/GCBTCOnline/uux.aspx\r\nsecure.onpointcu.com/opccuonline_42/uux.aspx\r\nonlinebanking.syb.com/SYBTCOnline/Uux.aspx\r\nsecure.southside.com/SouthsideBankOnline_40/uux.aspx\r\nsecure.suffolkfcu.org/suffolkfcu/uux.aspx\r\nonline.memcu.com/memcu/uux.aspx\r\nonline.hillsbank.com/hillsbankandtrustonline_40/Uux.aspx\r\nmy.montecito.bank/montecitobankandtrustonline/uux.aspx\r\nonline.soopercu.org/soopercredituniononline_41/uux.aspx\r\nsecure.cbank.com/CommunityBankOnline/Uux.aspx\r\nolb.bscu.org/bscu/uux.aspx\r\nonline.trailwest.bank/TrailWestBankOnline/Uux.aspx\r\nebanking.bankwest-sd.com/bankwestinconline/uux.aspx\r\nsecure.lubbocknational.com/LubbockNationalOnline/uux.aspx\r\nonline.capitalcu.com/CapitalCreditUnionOnline_42/Uux.aspx\r\nsecurebanking.northwest.com/northwestbankonline_41/Uux.aspx\r\nsecure.bannerbank.com/bannerbankonline_41/uux.aspx\r\nsecure.mercbank.com/MercantileBankofMichiganOnline/uux.aspx\r\nsecure.farmbureaubank.com/FarmBureauBankOnline/UUX.aspx\r\nonline.aacreditunion.org/AAFCUOnline_40/uux.aspx#/login\r\nsavvyatnmb-t.com/newmexicobankandtrustonline/Uux.aspx\r\nonlinebanking.thecooperativebank.com/thecooperativebankonline/Uux.aspx\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 11 of 16\n\nfnbnorwayonlinebanking.com/FNBNorwayOnline_41/uux.aspx\r\nonline.bankofguam.com/bankofguamonline_41/Uux.aspx\r\nonlinebanking.citizensbanknm.com/CitizensBankOnline/Uux.aspx\r\nsvbankingonline.com/ScottValleyBankOnline_40/uux.aspx\r\nonlinebanking.1stunitedcu.org/uscuonline/Uux.aspx\r\neslbusinessbanking.esl.org/ESLFederalCreditUnionOnline/uux.aspx\r\nsecure.alliancebank.com/alliancebank/uux.aspx\r\nsecure.mysummit.bank/summitcommunitybankonline/uux.aspx\r\nonline.texasbnk.com/texasbankonline/Uux.aspx\r\nsecure.121fcu.org/121financialcredituniononline_41/Uux.aspx\r\nonline.firstunitedbank.com/firstunitedbank/uux.aspx\r\nsecurebanking.centrisfcu.org/centrisfcu/uux.aspx\r\nonline.todaysbank.com/todaysbankonline/uux.aspx\r\nonline.minnequaworks.com/MinnequaWorksCreditUnionOnline_42/Uux.aspx\r\nonline.uvacreditunion.org/uvaccuonline/uux.aspx\r\nonlinebanking.anbbank.com/ANBBankOnline/uux.aspx\r\nonline.cannonfcu.org/CannonFederalCreditUnionOnline_41/Uux.aspx\r\nonline.fireflycu.org/fireflycu/uux.aspx\r\nsecure.peoplesbankonline.com/pbtconline_41/Uux.aspx\r\nonlinebanking.caminofcu.org/caminofederalcredituniononline_41/uux.aspx\r\nonlinebanking.hiway.org/HiwayFederalCreditUnionOnline/Uux.aspx\r\ncurcuohiovalleycu.org/OhioValleyCommunityCUOnline/uux.aspx\r\nonlineaccess.nrlfcu.org/nrlfederalcredituniononline/uux.aspx\r\nonlinebanking.redrocks.org/redrockscredituniononline/uux.aspx\r\nsecurebanking.cbbank.com/cbb/Uux.aspx\r\nebank.pfcu4me.com/pfcuonline/uux.aspx\r\nwww.ebanking.uiccu.org/UICCUOnline/uux.aspx\r\nonlinebanking.dominioncu.com/dominioncredituniononline_41/uux.aspx\r\nob2.mymax.com/MAXCreditUnionOnline/uux.aspx\r\nbanking.firstmarkcu.org/firstmarkcredituniononline_40/Uux.aspx\r\nsecure.ucbi.com/unitedcommunitybankonline/Uux.aspx\r\ncurcuohiovalleycu.org/OhioValleyCommunityCUOnline/uux.aspx\r\nonline.southwestnb.com/southwestnationalbankonline/Uux.aspx\r\nonlinebanking.wasatchpeaks.com/WasatchPeaksFCUOnline_41/Uux.aspx\r\nonline.firstpremier.com/FirstPremierBankOnline/uux.aspx\r\nibanking.ilwucu.org/ILWUCreditUnionOnline/uux.aspx\r\nonline.mygenfcu.org/MyGenFCU/uux.aspx\r\nonline.ttcu.com/ttcu/uux.aspx\r\nsavvyatcitywidebanks.com/citywidebanksonline/Uux.aspx\r\ntexas.savvyatfirstbanklubbock.com/firstbankandtrustcompany/Uux.aspx\r\nonlinebanking.robinsfcu.org/RobinsFCUOnline_40/uux.aspx\r\nonlinebanking.afcu.org/afcuonline_41/uux.aspx\r\nolb.gucu.org/GeorgiaUnitedCreditUnionOnline/uux.aspx\r\nonline.bankofthepacific.com/BankofthePacificOnline_40/uux.aspx\r\nstearnsconnect.stearnsbank.com/StearnsBankOnline/uux.aspx\r\nmycb.columbiabankonline.com/columbiabankonline/uux.aspx\r\nonlinebanking.fccu.org/fccuonline/uux.aspx\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 12 of 16\n\nonline.bmifcu.org/bmifederalcredituniononline_41/Uux.aspx\r\ne.sfcu.org/sfcuonline/uux.aspx\r\nonline.hfcu.org/HanscomFCUOnline/uux.aspx\r\nonlinebanking.plumasbank.com/PlumasBankOnline/uux.aspx\r\nonline.thecommercebank.com/CommerceBankofWashingtonOnline/uux.aspx\r\nonline.dacotahbank.com/dacotahonline1/Uux.aspx\r\nonline.eaglecu.org/eaglecu/uux.aspx\r\nonline.communitychoicecu.com/communitychoicecu//uux.aspx\r\nsecure.mybanktx.com/CNBTTXOnline_41/UUX.aspx\r\nonline.valleyfirstcu.org/valleyfirstcredituniononline_41/Uux.aspx\r\nonline.uccu.com/ucfcuonline_42/uux.aspx\r\ncconline.coastccu.org/CoastCentralCUOnline/Uux.aspx\r\nonlinebanking.saintsavenuebank.com/SABOnline/uux.aspx\r\nsecure.firstbankkansas.com/FirstBankKansasOnline_41/Uux.aspx\r\nonlinebanking.pyramidfcu.com/pfcuonline_40/Uux.aspx\r\nHere are some more interesting wild-carded URIs:\r\n*.com/fi*/bb/*\r\n*.com/fi*/pb/*\r\n*.com/fi*/retail/*\r\n*.com/fnfg/retail/*\r\n*.com/pub/html/login.html*\r\n*/Authentication/Login*\r\n*/Accounts/AccountOverview.asp*\r\n*/EBC_EBC1961/* - targets multiple banks\r\n*/bbw/cmserver/welcome*\r\n*/onlineserv/CM*\r\nThe above targets cover a wide range of banking sites.\r\nThreat Intelligence: The C2 infra-structure\r\nDistribution chain for Trickbot is quite straight-forward. The initial infection-vector is phishing, from there on it\r\nfollows the usual flow of execution, which has been covered in one of my previous publications, available here.\r\nA look at the C2 infra-structure from a threat-intel angle reveals interesting findings. The servers are usually setup\r\nfor multiple paths of delivery, through different URIs. Some of these servers have been used to distribute more\r\nthan one payload and some of them are easy to trace/connect as they have been known to serve binaries that are\r\ncommon to multiple C2 servers. This is interesting and important information from a threat-hunting angle, and can\r\nbe used by threat-intel teams to provide meaningful and effective mitigations/protections for their organisations.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 13 of 16\n\nList of URIs serving the binaries from one C2 server\r\nIt is possible to connect the dots and build a useful repository of C2 servers for Trickbot and use it for tracking\r\nfuture campaigns (a task that is currently being executed by the author). Also, this information can be used to see\r\nwhat other malware families share infra-structure and how researchers can use this information to build better\r\nintelligence around these malware families (also currently an active project).\r\nIt is very interesting to see how the infra-structure is used effectively with room for collaboration between\r\nMalActors.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 14 of 16\n\nLink between two Trickbot C2 servers can be seen by the shared binary\r\nConclusion\r\nTrickbot has been around for quite some time now. It started as a banking malware, targeting banking institutions\r\nto start with and then pivoted into other, similar industries, with the sole purpose of maximising profits. Recently,\r\nthe MalActors have broadened their target base even more, venturing into non-banking institutions and also\r\ntargeting really interesting sectors such as records, legal and bit-exchanges. We also saw a fleet-management\r\ncompany targeted in the latest config.\r\nThe biggest and most-effective technique has been the use of wild-carded target URIs — this takes the targeting to\r\nthe next level. As we saw earlier, this technique serves two purposes, first one is to increase the targeting (eg.\r\nhundreds of banks targeted in one line of config) and the second one is to hide the targets from researchers (the\r\nactual names are not included in the list at any point). This is the most efficient, well-thought and perfectly\r\nexecuted technique in a financial malware.\r\nWe know that Trickbot is a well-coded, sophisticated and modular malware. Based on that alone, we should\r\nexpect it to keep evolving, moving into different directions (most of the current modules were added gradually\r\nafter the initial release — lateral movement, outlook-targeting, POS targeting etc). The MalActors behind it will\r\nkeep researching and looking for new sources of revenue, new industries to target and new ways of doing so. We\r\nhaven’t seen the last of it or even the best of it yet. And we’ll keep researching this interesting malware in the\r\nfuture.\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 15 of 16\n\nSource: https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nhttps://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737"
	],
	"report_names": [
		"trickbot-a-concise-treatise-d7e4cc97f737"
	],
	"threat_actors": [],
	"ts_created_at": 1775434538,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b210d9f1796b43afed3c91570536c00b55e0f997.pdf",
		"text": "https://archive.orkl.eu/b210d9f1796b43afed3c91570536c00b55e0f997.txt",
		"img": "https://archive.orkl.eu/b210d9f1796b43afed3c91570536c00b55e0f997.jpg"
	}
}