Share This:

The history of malware is littered with viruses that were created solely to obtain banking information. One of the best known in recent years has been TrickBot, and lately, it has re-emerged with increased intensity.

Since at least 2016, TrickBot has been trying to extract financial data from unwitting recipients of its malicious cargo. In 2020, it continues to prove its handiwork, and in some ways, the current pandemic has made it more effective. People are anxious, disconnected, and more susceptible to cleverly disguised malware.

The good news is that TrickBot is still is mostly a phishing phenomenon and that users can generally be educated on what to look for, so they don’t download it in the first place.

First of all, however, why is TrickBot so bad, and what is it?

Meet TrickBot….

TrickBot traces its origins to 2016, and uses all sorts of rabbit-from-the-hat tricks – from stealing from Bitcoin wallets to harvesting emails and banking credentials. TrickBot’s developer, however, has made the virus more versatile over the past year so that it now poses threats beyond mere banking havoc and is expanding into ransomware.

TrickBot is something that I have first-hand experience with, so I wanted to share some samples that I have received. As a business owner and writer, I have invoices coming and going, and invoice-related emails are some of the most important ones, after all, who doesn’t want to get paid? MSPs should be aware of the fact that money-related emails can override most internal defenses that people usually put up when they see an email attachment.

Some samples of subject lines in infected emails:

Re: <Williams Writing> annual bonus document ready for review

“Re: payroll notification for Kevin Williams

The one that is most enticing to me – and the hackers have done their homework – are ones like “re: invoice – Kevin Williams.”

Again, who doesn’t want to get paid? I really wanted to download the attachment. In each case, a combination of proper protection and gut instinct kept me from downloading the enticing attachment and experiencing some significant problems. Further, a “post-mortem analysis” of the malware proved its identity as TrickBot.

TrickBot has evolved with the times, and in addition to trying to prey on the desire to get paid, TrickBot is also using COVID anxiety as a cover. For instance, a recent variation is targeting people with messages that purport to come from the U.S. Department of Labor, attempting to trick users into opening a .DOC file, enabling macros, and deploying the TrickBot malware.

TrickBot has also come hidden in some COVID-19 maps which, of course, people are eagerly wanting as the pandemic spreads. Hackers know this and preys upon it. In fact, new data from Microsoft shows that TrickBot has been linked to more COVID-19 related phishing attempts than any other virus.

TrickBot’s tricks

Some of the common things MSPs should know about TrickBot are:

    • It is especially interested in financial and banking data, like passwords, logins, and account numbers.
    • It can connect infected devices to malicious, criminally-controlled networks, giving criminals full control of them
    • It moves quite efficiently laterally, often using SMB shares
    • It is often be a prelude to a ransomware attack.

Ways to mitigate TrickBot

Keep macros off: Many people swear by Macros as an almost indispensable tool but they should remain off at all times because they can be used to execute scripts, allowing attackers to download malware.

Patch and more patching: While there is no silver bullet to snuff out TrickBot, the best way to keep infections at bay is to continuously update and patch Microsoft clients and servers as they become available. Patching the Server Message Block weaknesses exploited by Trickbot to propagate laterally on the network is essential to preventing constant reinfections. Also, patch against EternalBlue, which is often used by TrickBot as a way of spreading.

Disable administrative shares: Admin$, IPC$, and C$ are enabled by default on Windows hosts. Temporarily disabling administrative shares will help to slow the spread and prevent re-infection after a host has been cleaned.

Educate: Make sure users are fully aware of the ruses hackers might use to get them to open a virus-laden email. Users should be advised never to open emails from unknown contacts and to be wary of any messages from seemingly official organizations and institutions.

Change passwords: This is an obvious one but frequent password changing and MFA are small measures that can have an outsize impact on TrickBot and other threats.

The hackers are always getting smarter and researchers expect that TrickBot isn’t going anywhere anytime soon, but by following the aforementioned tactics and strategies, MSPs can stay a step ahead of it.

Be sure to register for this upcoming webinar to learn more about the cybersecurity lessons from the mass transition to remote work.

Photo: Pixels Hunter / Shutterstock

Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.


  1. Patching, Patching, Patching…


  2. Great article


  3. Awesome read


  4. Nice article. Straight to the point.


  5. This is why you have to stay on top of patching and everything that is going on. You cannot let your guard down


  6. Interesting article and really drives home the idea of running emails through a good filter before they even get to users. User education is important, but there are options MSP can deploy to help reduce the risk.


  7. It is and will always be my #1 response to this type of issue; user education.


  8. far too many do not pay attention to emails and just open because they “thought” they should. when asked if they were expecting or any other earmarks of legitimacy the user gets indignant and proclaims “how am I supposed to know”, and this is after a sanctioned training program. I guess that for some idiocracy is a better alternative.


Leave a reply

Your email address will not be published. Required fields are marked *