{
	"id": "a4397748-b882-4429-9334-5b44ecfdab16",
	"created_at": "2026-04-06T00:22:13.557592Z",
	"updated_at": "2026-04-10T03:20:52.922793Z",
	"deleted_at": null,
	"sha1_hash": "b9a856b49ed49d164d5a838d1199cbbe1ab722bb",
	"title": "TrickBot Malware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 137994,
	"plain_text": "TrickBot Malware | CISA\r\nPublished: 2021-05-20 · Archived: 2026-04-05 21:59:15 UTC\r\nSummary\r\nThis Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®)\r\nframework, Version 8. See the ATT\u0026CK for Enterprise for all referenced threat actor tactics and techniques.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have observed\r\ncontinued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of\r\ncybercrime actors is luring victims, via phishing emails, with a traffic infringement phishing scheme to download TrickBot.\r\nTrickBot—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors.\r\nOriginally designed as a banking Trojan to steal financial data, TrickBot has evolved into highly modular, multi-stage\r\nmalware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.\r\nTo secure against TrickBot, CISA and FBI recommend implementing the mitigation measures described in this Joint\r\nCybersecurity Advisory, which include blocking suspicious Internet Protocol addresses, using antivirus software, and\r\nproviding social engineering and phishing training to employees.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nTrickBot is an advanced Trojan that malicious actors spread primarily by spearphishing campaigns using tailored emails that\r\ncontain malicious attachments or links, which—if enabled—execute malware (Phishing: Spearphishing Attachment\r\n[T1566.001 ], Phishing: Spearphishing Link [T1566.002 ]). CISA and FBI are aware of recent attacks that use phishing\r\nemails, claiming to contain proof of a traffic violation, to steal sensitive information. The phishing emails contain links that\r\nredirect to a website hosted on a compromised server that prompts the victim to click on photo proof of their traffic\r\nviolation. (User Execution: Malicious Link [T1204.001 ], User Execution: Malicious File [T1204.002 ]). In clicking the\r\nphoto, the victim unknowingly downloads a malicious JavaScript file that, when opened, automatically communicates with\r\nthe malicious actor’s command and control (C2) server to download TrickBot to the victim’s system (Command and\r\nScripting Interpreter: JavaScript [T1059.007 ]).\r\nAttackers can use TrickBot to:\r\nDrop other malware, such as Ryuk and Conti ransomware, or\r\nServe as an Emotet downloader (Ingress Tool Transfer [T1105 ]).[1 ]\r\nTrickBot uses person-in-the-browser attacks to steal information, such as login credentials (Man in the Browser [T1185 ]).\r\nAdditionally, some of TrickBot’s modules spread the malware laterally across a network by abusing the Server Message\r\nBlock (SMB) Protocol. TrickBot operators have a toolset capable of spanning the entirety of the MITRE ATT\u0026CK\r\nframework, from actively or passively gathering information that can be used to support targeting (Reconnaissance [TA0043\r\n]), to trying to manipulate, interrupt, or destroy systems and data (Impact [TA0040 ]).\r\nTrickBot is capable of data exfiltration over a hardcoded C2 server, cryptomining, and host enumeration (e.g.,\r\nreconnaissance of Unified Extensible Firmware Interface or Basic Input/Output System [UEFI/BIOS] firmware)\r\nhttps://us-cert.gov/ncas/alerts/aa21-076a\r\nPage 1 of 8\n\n(Exfiltration Over C2 Channel [T1041 ], Resource Hijacking [T1496 ], System Information Discovery.[2 ] For host\r\nenumeration, operators deliver TrickBot in modules containing a configuration file with specific tasks.\r\nFigure 1 lays out TrickBot’s use of enterprise techniques.\r\nFigure 1: MITRE ATT\u0026CK enterprise techniques used by TrickBot\r\nMITRE ATT\u0026CK Techniques\r\nAccording to MITRE, TrickBot [S0266 ] uses the ATT\u0026CK techniques listed in table 1.\r\nTable 1: TrickBot ATT\u0026CK techniques for enterprise\r\nInitial Access [TA0001 ]\r\nTechnique Title ID Use\r\nPhishing: Spearphishing\r\nAttachment\r\nT1566.001 TrickBot has used an email with an Excel sheet containing a malicious\r\nmacro to deploy the malware.\r\nPhishing: Spearphishing\r\nLink\r\nT1566.002\r\nTrickBot has been delivered via malicious links in phishing emails.\r\nExecution [TA0002 ]\r\nTechnique Title ID Use\r\nScheduled Task/Job:\r\nScheduled Task\r\nT1053.005 TrickBot creates a scheduled task on the system that provides\r\npersistence.\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nT1059.003 TrickBot has used macros in Excel documents to download and\r\ndeploy the malware on the user’s machine.\r\nCommand and Scripting\r\nInterpreter: JavaScript/JScript\r\nT1059.007\r\nTrickBot victims unknowingly download a malicious JavaScript file\r\nthat, when opened, automatically communicates with the malicious\r\nactor’s C2 server to download TrickBot to the victim’s system.\r\nNative API T1106\r\nTrickBot uses the Windows Application Programming Interface (API)\r\ncall, CreateProcessW(), to manage execution flow.\r\nUser Execution: Malicious\r\nLink\r\nT1204.001 TrickBot has sent spearphishing emails in an attempt to lure users to\r\nclick on a malicious link.\r\nUser Execution: Malicious\r\nFile\r\nT1204.002 TrickBot has attempted to get users to launch malicious documents to\r\ndeliver its payload.\r\nPersistence [TA0003 ]\r\nhttps://us-cert.gov/ncas/alerts/aa21-076a\r\nPage 2 of 8\n\nTechnique Title ID Use\r\nScheduled Task/Job: Scheduled\r\nTask\r\nT1053.005 TrickBot creates a scheduled task on the system that provides\r\npersistence.\r\nCreate or Modify System\r\nProcess: Windows Service\r\nT1543.003 TrickBot establishes persistence by creating an autostart service\r\nthat allows it to run whenever the machine boots.\r\nPrivilege Escalation [TA0004 ]\r\nTechnique Title ID Use\r\nScheduled Task/Job: Scheduled\r\nTask\r\nT1053.005 TrickBot creates a scheduled task on the system that provides\r\npersistence.\r\nProcess Injection: Process\r\nHollowing\r\nT1055.012\r\nTrickBot injects into the svchost.exe process.\r\nCreate or Modify System\r\nProcess: Windows Service\r\nT1543.003 TrickBot establishes persistence by creating an autostart service\r\nthat allows it to run whenever the machine boots.\r\n Defense Evasion [TA0005 ]\r\nTechnique Title ID Use\r\nObfuscated Files or Information T1027\r\nTrickBot uses non-descriptive names to hide functionality and uses\r\nan AES CBC (256 bits) encryption algorithm for its loader and\r\nconfiguration files.\r\nObfuscated Files or Information:\r\nSoftware Packing\r\nT1027.002\r\nTrickBot leverages a custom packer to obfuscate its functionality.\r\nMasquerading T1036\r\nThe TrickBot downloader has used an icon to appear as a Microsoft\r\nWord document.\r\nProcess Injection: Process\r\nHollowing\r\nT1055.012\r\nTrickBot injects into the svchost.exe process.\r\nModify Registry T1112 TrickBot can modify registry entries.\r\nDeobfuscate/Decode Files or\r\nInformation\r\nT1140 TrickBot decodes the configuration data and modules.\r\nSubvert Trust Controls: Code\r\nSigning\r\nT1553.002\r\nTrickBot has come with a signed downloader component.\r\nImpair Defenses: Disable or\r\nModify Tools\r\nT1562.001\r\nTrickBot can disable Windows Defender.\r\nCredential Access [TA0006 ]\r\nhttps://us-cert.gov/ncas/alerts/aa21-076a\r\nPage 3 of 8\n\nTechnique Title ID Use\r\nInput Capture:\r\nCredential API Hooking\r\nT1056.004 TrickBot has the ability to capture Remote Desktop Protocol credentials by\r\ncapturing the CredEnumerateA API.\r\nUnsecured Credentials:\r\nCredentials in Files\r\nT1552.001\r\nTrickBot can obtain passwords stored in files from several applications such\r\nas Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it\r\nsearches for the .vnc.lnk affix to steal VNC credentials.\r\nUnsecured Credentials:\r\nCredentials in Registry\r\nT1552.002 TrickBot has retrieved PuTTY credentials by querying the\r\nSoftware\\SimonTatham\\Putty\\Sessions registry key.\r\nCredentials from\r\nPassword Stores\r\nT1555\r\nTrickBot can steal passwords from the KeePass open-source password\r\nmanager.\r\nCredentials from\r\nPassword Stores:\r\nCredentials from Web\r\nBrowsers\r\nT1555.003\r\nTrickBot can obtain passwords stored in files from web browsers such as\r\nChrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using\r\nesentutl.\r\nDiscovery [TA0007 ]\r\nTechnique Tactic ID Use\r\nSystem Service\r\nDiscovery\r\nT1007\r\nTrickBot collects a list of install programs and services on the system’s\r\nmachine.\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nT1016\r\nTrickBot obtains the IP address, location, and other relevant network\r\ninformation from the victim’s machine.\r\nRemote System\r\nDiscovery\r\nT1018 TrickBot can enumerate computers and network devices.\r\nSystem Owner/User\r\nDiscovery\r\nT1033\r\nTrickBot can identify the user and groups the user belongs to on a\r\ncompromised host.\r\nPermission Groups\r\nDiscovery\r\nT1069 TrickBot can identify the groups the user on a compromised host belongs to.\r\nSystem Information\r\nDiscovery\r\nT1082\r\nTrickBot gathers the OS version, machine name, CPU type, amount of RAM\r\navailable from the victim’s machine.\r\nFile and Directory\r\nDiscovery\r\nT1083\r\nTrickBot searches the system for all of the following file extensions: .avi, .mov,\r\n.mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff,\r\n.ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in\r\ninformation.\r\nAccount Discovery:\r\nLocal Account\r\nT1087.001\r\nTrickBot collects the users of the system.\r\nhttps://us-cert.gov/ncas/alerts/aa21-076a\r\nPage 4 of 8\n\nTechnique Tactic ID Use\r\nAccount Discovery:\r\nEmail Account\r\nT1087.003\r\nTrickBot collects email addresses from Outlook.\r\nDomain Trust\r\nDiscovery\r\nT1482 TrickBot can gather information about domain trusts by utilizing Nltest.\r\nLateral Movement [TA0008 ]\r\nTechnique Tactic ID Use\r\nLateral Tool\r\nTransfer\r\nT1570 Some TrickBot modules spread the malware laterally across a network by abusing\r\nthe SMB Protocol.\r\nCollection [TA0009 ]\r\nTechnique Tactic ID Use\r\nData from Local System T1005\r\nTrickBot collects local files and information from the victim’s local\r\nmachine.\r\nInput Capture:Credential\r\nAPI Hooking\r\nT1056.004 TrickBot has the ability to capture Remote Desktop Protocol credentials\r\nby capturing the CredEnumerateA API.\r\nPerson in the Browser T1185\r\nTrickBot uses web injects and browser redirection to trick the user into\r\nproviding their login credentials on a fake or modified webpage.\r\nCommand and Control [TA0011 ]\r\nTechnique Tactic ID Use\r\nFallback Channels T1008\r\nTrickBot can use secondary command and control (C2) servers for\r\ncommunication after establishing connectivity and relaying victim\r\ninformation to primary C2 servers.\r\nApplication Layer\r\nProtocol: Web Protocols\r\nT1071.001\r\nTrickBot uses HTTPS to communicate with its C2 servers, to get malware\r\nupdates, modules that perform most of the malware logic and various\r\nconfiguration files.\r\nIngress Tool Transfer T1105\r\nTrickBot downloads several additional files and saves them to the victim's\r\nmachine.\r\nData Encoding: Standard\r\nEncoding\r\nT1132.001\r\nTrickBot can Base64-encode C2 commands.\r\nNon-Standard Port T1571 Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nT1573.001 TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to\r\nencrypt C2 traffic.\r\nhttps://us-cert.gov/ncas/alerts/aa21-076a\r\nPage 5 of 8\n\nExfiltration [TA0010 ]\r\nTechnique Tactic ID Use\r\nExfiltration Over C2\r\nChannel\r\nT1041 TrickBot can send information about the compromised host to a hardcoded\r\nC2 server.\r\nImpact [TA0040 ]\r\nTechnique\r\nTactic\r\nID Use\r\nResource\r\nHijacking\r\nT1496 TrickBot actors can leverage the resources of co-opted systems for cryptomining to\r\nvalidate transactions of cryptocurrency networks and earn virtual currency.\r\nDetection\r\nSignatures\r\nCISA developed the following snort signature for use in detecting network activity associated with TrickBot activity.\r\nalert tcp any [443,447] -\u003e any any (msg:\"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'example.com' (Hex)\";\r\nsid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:\"|0b|example.com\"; fast_pattern:only;\r\ncontent:\"Global Security\"; content:\"IT Department\";\r\npcre:\"/(?:\\x09\\x00\\xc0\\xb9\\x3b\\x93\\x72\\xa3\\xf6\\xd2|\\x00\\xe2\\x08\\xff\\xfb\\x7b\\x53\\x76\\x3d)/\"; classtype:bad-unknown;\r\nmetadata:service ssl,service and-ports;)\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"TRICKBOT_ANCHOR:HTTP URI GET contains '/anchor'\"; sid:1; rev:1;\r\nflow:established,to_server; content:\"/anchor\"; http_uri; fast_pattern:only; content:\"GET\"; nocase; http_method;\r\npcre:\"/^\\/anchor_?.{3}\\/[\\w_-]+\\.[A-F0-9]+\\/?$/U\"; classtype:bad-unknown; priority:1; metadata:service http;)\r\nalert tcp any $SSL_PORTS -\u003e any any (msg:\"TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'C=XX, L=Default\r\nCity, O=Default Company Ltd'\"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:\"|31 0b 30 09 06\r\n03 55 04 06 13 02|XX\"; nocase; content:\"|31 15 30 13 06 03 55 04 07 13 0c|Default City\"; nocase; content:\"|31 1c 30 1a 06\r\n03 55 04 0a 13 13|Default Company Ltd\"; nocase; content:!\"|31 0c 30 0a 06 03 55 04 03|\"; classtype:bad-unknown;\r\nreference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection;\r\nmetadata:service ssl;)\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"TRICKBOT:HTTP Client Header contains 'boundary=Arasfjasu7'\"; sid:1;\r\nrev:1; flow:established,to_server; content:\"boundary=Arasfjasu7|0d 0a|\"; http_header; content:\"name=|22|proclist|22|\";\r\nhttp_header; content:!\"Referer\"; content:!\"Accept\"; content:\"POST\"; http_method; classtype:bad-unknown;\r\nmetadata:service http;)\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"TRICKBOT:HTTP Client Header contains 'User-Agent|3a 20|WinHTTP\r\nloader/1.'\"; sid:1; rev:1; flow:established,to_server; content:\"User-Agent|3a 20|WinHTTP loader/1.\"; http_header;\r\nfast_pattern:only; content:\".png|20|HTTP/1.\"; pcre:\"/^Host\\x3a\\x20(?:\\d{1,3}\\.){3}\\d{1,3}(?:\\x3a\\d{2,5})?$/mH\";\r\ncontent:!\"Accept\"; http_header; content:!\"Referer|3a 20|\"; http_header; classtype:bad-unknown; metadata:service http;)\r\nalert tcp any $HTTP_PORTS -\u003e any any (msg:\"TRICKBOT:HTTP Server Header contains 'Server|3a 20|Cowboy'\"; sid:1;\r\nrev:1; flow:established,from_server; content:\"200\"; http_stat_code; content:\"Server|3a 20|Cowboy|0d 0a|\"; http_header;\r\nhttps://us-cert.gov/ncas/alerts/aa21-076a\r\nPage 6 of 8\n\nfast_pattern; content:\"content-length|3a 20|3|0d 0a|\"; http_header; file_data; content:\"/1/\"; depth:3; isdataat:!1,relative;\r\nclasstype:bad-unknown; metadata:service http;)\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"TRICKBOT:HTTP URI POST contains C2 Exfil\"; sid:1; rev:1;\r\nflow:established,to_server; content:\"Content-Type|3a 20|multipart/form-data|3b 20|boundary=------Boundary\"; http_header;\r\nfast_pattern; content:\"User-Agent|3a 20|\"; http_header; distance:0; content:\"Content-Length|3a 20|\"; http_header; distance:0;\r\ncontent:\"POST\"; http_method; pcre:\"/^\\/[a-z]{3}\\d{3}\\/.+?\\.[A-F0-9]{32}\\/\\d{1,3}\\//U\"; pcre:\"/^Host\\x3a\\x20(?:\\d{1,3}\\.)\r\n{3}\\d{1,3}$/mH\"; content:!\"Referer|3a|\"; http_header; classtype:bad-unknown; metadata:service http;)\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"HTTP URI GET/POST contains '/56evcxv' (Trickbot)\"; sid:1; rev:1;\r\nflow:established,to_server; content:\"/56evcxv\"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)\r\nalert icmp any any -\u003e any any (msg:\"TRICKBOT_ICMP_ANCHOR:ICMP traffic conatins 'hanc'\"; sid:1; rev:1; itype:8;\r\ncontent:\"hanc\"; offset:4; fast_pattern; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"HTTP Client Header contains POST with 'host|3a 20|*.onion.link' and\r\n'data=' (Trickbot/Princess Ransomeware)\"; sid:1; rev:1; flow:established,to_server; content:\"POST\"; nocase; http_method;\r\ncontent:\"host|3a 20|\"; http_header; content:\".onion.link\"; nocase; http_header; distance:0; within:47; fast_pattern; file_data;\r\ncontent:\"data=\"; distance:0; within:5; classtype:bad-unknown; metadata:service http;)\r\nalert tcp any any -\u003e any $HTTP_PORTS (msg:\"HTTP Client Header contains 'host|3a 20|tpsci.com' (trickbot)\"; sid:1; rev:1;\r\nflow:established,to_server; content:\"host|3a 20|tpsci.com\"; http_header; fast_pattern:only; classtype:bad-unknown;\r\nmetadata:service http;)\r\nMitigations\r\nCISA and FBI recommend that network defenders—in federal, state, local, tribal, territorial governments, and the private\r\nsector—consider applying the following best practices to strengthen the security posture of their organization's systems.\r\nSystem owners and administrators should review any configuration changes prior to implementation to avoid negative\r\nimpacts.\r\nProvide social engineering and phishing training to employees.\r\nConsider drafting or updating a policy addressing suspicious emails  that specifies users must report all suspicious\r\nemails to the security and/or IT departments.\r\nMark external emails with a banner denoting the email is from an external source to assist users in detecting spoofed\r\nemails.\r\nImplement Group Policy Object and firewall rules.\r\nImplement an antivirus program and a formalized patch management process.\r\nImplement filters at the email gateway and block suspicious IP addresses at the firewall.\r\nAdhere to the principle of least privilege.\r\nImplement a Domain-Based Message Authentication, Reporting \u0026 Conformance validation system.\r\nSegment and segregate networks and functions.\r\nLimit unnecessary lateral communications between network hoses, segments, and devices.\r\nConsider using application allowlisting technology on all assets to ensure that only authorized software executes, and\r\nall unauthorized software is blocked from executing on assets. Ensure that such technology only allows authorized,\r\ndigitally signed scripts to run on a system.\r\nEnforce multi-factor authentication.\r\nEnable a firewall on agency workstations configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nhttps://us-cert.gov/ncas/alerts/aa21-076a\r\nPage 7 of 8\n\nImplement an Intrusion Detection System, if not already used, to detect C2 activity and other potentially malicious\r\nnetwork activity\r\nMonitor web traffic. Restrict user access to suspicious or risky sites.\r\nMaintain situational awareness of the latest threats and implement appropriate access control lists.\r\nDisable the use of SMBv1 across the network and require at least SMBv2 to harden systems against network\r\npropagation modules used by TrickBot.\r\nVisit the MITRE ATT\u0026CK Techniques pages (linked in table 1 above) for additional mitigation and detection\r\nstrategies.\r\nSee CISA’s Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information\r\non addressing potential incidents and applying best practice incident response procedures.\r\nFor additional information on malware incident prevention and handling, see the National Institute of Standards and\r\nTechnology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.\r\nResources\r\nCISA Fact Sheet: TrickBot Malware\r\nMS-ISAC White Paper: Security Primer – TrickBot\r\nUnited Kingdom National Cyber Security Centre Advisory: Ryuk Ransomware Targeting Organisations Globally\r\nCISA and MS-ISAC Joint Alert AA20-280A: Emotet Malware\r\nMITRE ATT\u0026CK for Enterprise\r\nReferences\r\n[1] FireEye Blog - A Nasty Trick: From Credential Theft Malware to Business Disruption\r\n[2] Eclypsium Blog - TrickBot Now Offers 'TrickBoot': Persist, Brick, Profit\r\nRevisions\r\nMarch 17, 2021: Initial Version|March 24, 2021: Added MITRE ATT\u0026CK Technique T1592.003 used for\r\nreconnaissance|May 20, 2021: Added new MITRE ATT\u0026CKs and updated Table 1\r\nSource: https://us-cert.gov/ncas/alerts/aa21-076a\r\nhttps://us-cert.gov/ncas/alerts/aa21-076a\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://us-cert.gov/ncas/alerts/aa21-076a"
	],
	"report_names": [
		"aa21-076a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434933,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9a856b49ed49d164d5a838d1199cbbe1ab722bb.pdf",
		"text": "https://archive.orkl.eu/b9a856b49ed49d164d5a838d1199cbbe1ab722bb.txt",
		"img": "https://archive.orkl.eu/b9a856b49ed49d164d5a838d1199cbbe1ab722bb.jpg"
	}
}