# The TrickBot Evolution

### Joshua Adams, F5 Networks

 j.adams2@f5.com


-----

# 1000002 (2016-08-19)

## • 38503c00be6b7f7eeb5076c0bd071b4c
 • bf621ef7e98047fea8c221e17c1837b8
 • 0804499dba4090c439e580f5693660e0
 • E4a8dc8fd08d4f65a68d0a40e2190c70

 Source: http://www.threatgeek.com/2016/10/trickbot-the-dyre- connection.html (-- Fidelis Threat Researcher Jason Reaves)


-----

# 1000002 – Dyre like config


-----

# 1000002 – Dynamic Injects


-----

# 1000005 (2016-10-28)

## • 104923556ace17b4f1e52a50be7a8ea0

 Source: https://f5.com/about-us/news/articles/little-trickbot-growing- up-new-campaign-22790 (Julia Karpin, Shaul Vilkomir-Preisman, Anna Dorfman)


-----

# 1000005 – more targets


-----

# 1000005 – modified config


-----

# 1000005 – redirect attacks


-----

# 1000005 – redirect attacks


-----

# 1000007 (2016-11-23)

## • 43cfa53d6d327356f23bc73dc737bfcd


-----

# 1000007 – more targets


-----

# 1000007 – more targets


-----

# 1000009 (2016-11-30)

## • 46ffaa075dd586a6f93a4d26a2431355
 • 26992865a2ae96ed48df8ddfc7223a13
 • 1c8ea23e2892c4c7155c9f976c6e661d

 (Source: Shaul Vilkomir-Preisman)


-----

# 1000009 – new module


-----

# 1000009 – new module


-----

# 1000009 – new module


-----

# 1000009 – new module


-----

# 1000009 – new module


-----

# 1000009 – new User Agent


-----

# 1000009 – new User Agent


-----

# TrickBot is evolving quickly..

## • 1000002 (2016-08-19)
 • 1000005 (2016-10-28)
 • 1000007 (2016-11-23)
 • 1000009 (2016-11-30)


-----

# Thank You!


-----