Trickbot was discovered by researchers in 2016, and at that time, was a relatively straightforward banking Trojan. It mainly attempted to steal sensitive data, including usernames and passwords, bank account information, and sometimes cryptocurrency.

Since then, its developers have expanded its range of capabilities through multiple iterations, despite repeated attacks from cybersecurity specialists to destroy its infrastructure. Trickbot is now considered a complex and modular malware ecosystem that adapts to nearly any environment in which it is deployed.

How Trickbot works

TrickBot is built from an array of modules and a configuration file. Each individual module has a particular function, and any one instance of Trickbot may include modules designed to gain entry to systems, ensure persistence, speed propagation, commit credential theft, encrypt data, and more.

In a way similar to other malware Trojans, such as Emotet, Trickbot frequently infects a system via embedded URLs or infected mail attachments sent as part of malspam or phishing campaigns. Once it gains a foothold on a system, moreover, Trickbot can then spread laterally within networks by exploiting several widely known NSA exploits, including EternalBlue, EternalRomance, and EternalChampion.

History of TrickBot


TrickBot was discovered by security researchers in October of 2016, at which point it appeared to be a straightforward banking stealer. Since then, it has been improved by its developers multiple times.

In 2017, Trickbot began to appear with a new worm module that harvested Outlook mail credentials. At this point, the range of data that TrickBot harvested also included cookies, browsing history, and other sensitive data.

In 2018, moreover, an additional module was added to Trickbot which disabled Windows Defender’s real-time monitoring using a PowerShell command.

Most recently, in early 2020, researchers noted that TrickBot’s ability to evade detection had been improved with a new worm module called Nworm. This module altered TrickBot’s HTTP traffic, and allowed it to run from system memory after infecting a domain controller, ensuring it left no traces of infection.

At this point, TrickBot was considered a significant threat to worldwide cybersecurity, and in September of 2020, the Cyber Command branch of the US Department of Defense (along with a coalition of security companies) launched a series of attacks aimed at disrupting Trickbot’s activity. While there were significant short-term disruptions, this botnet quickly recovered, and its infrastructure remained largely intact.

However, these attacks were soon followed up by further attacks led by Microsoft’s Digital Crimes Unit which primarily targeted TrickBot’s command and control servers, and proved much more effective. Although Microsoft reported in late October 2020 that 120 out of the 128 servers that comprised TrickBot’s network had been completely shut down, some TrickBot servers have remained active in Brazil, Indonesia, Colombia, and Kyrgyzstan.

Despite ongoing efforts, TrickBot’s unique architecture has maintained it as a credible threat, and as recently as April 2021, IBM researchers have reported that improved TrickBot specimens have appeared with new mutex naming algorithms, and updated persistence modules.

Autonomous Response to critical malware alerts

VMRay + Palo Alto Networks       JOINT WEBINAR