DHS Unit Warns on TrickBot Banking Malware


The Cybersecurity and Infrastructure Security Agency (CISA), a unit of the Department of Homeland Security (DHS), is warning admins and users about TrickBot, a modular banking Trojan that targets users’ financial information and acts as a dropper for other malware.

An attacker can leverage TrickBot’s various modules to steal banking information, conduct system and network reconnaissance, harvest credentials, and achieve network propagation. What’s noteworthy about the Trojan, which is distributed by malicious email campaigns, is the frequency and speed with which its authors release new modules and versions of the malware, seemingly on the fly.

The CISA's warning comes as a white paper detailing TrickBot's inner workings, packaged with a corresponding list of best practices and recommendations for admins and users. The Multi-State Information Sharing and Analysis Center (MS-ISAC), a cyber threat monitoring and mitigation operation for state and local governments funded by DHS, compiled the document.

Here’s a sampling of what's in the white paper:

  • TrickBot email campaigns send unsolicited emails that lure users into opening malware through an attachment. TrickBot is also dropped as a secondary payload by other malware.
  • The malspam campaigns that deliver TrickBot use third-party branding familiar to the recipient, such as invoices from accounting and financial firms. The emails typically include a Microsoft Word or Excel document.
  • TrickBot uses two types of web injects, ‘redirection attacks’ and ‘server side injections’, to steal financial information from online banking sessions to defraud its victims. Redirection attacks send victims to fraudulent banking site replicas when they navigate to certain banking websites.
  • A server side injection intercepts the response from a bank’s server, injects additional client-side code into the webpage, and can steal the victim’s banking credentials through form grabbing.

Here’s some of MS-ISAC’s recommendations and best practices to limit TrickBot:

  • Use antivirus programs on clients and servers, with automatic updates of signatures and software.
  • Disable all macros except those which are digitally signed.
  • Apply appropriate patches and updates immediately after appropriate testing.
  • Implement filters at the email gateway to filter out emails with known malspam indicators.
  • Specify a policy that all suspicious emails should be reported to the security and/or IT departments.
  • Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
  • Mark external emails noting it is from an external source.
  • Provide social engineering and phishing training to employees. Don’t open suspicious emails, click on links contained in such emails, post sensitive information online. Never provide usernames, passwords and/or personal information to any unsolicited request.
  • Adhere to the principle of least privilege, ensuring that users have the minimum level of access required to do their job. Limit administrative credentials to designated administrators.
  • If a user opened a malicious email run an antivirus scan on the system and act based on the results to isolate the infected computer.
  • If multiple machines are infected, identify, shutdown, and take the infected machines off the network. Issue password resets for both domain and local credentials.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.