Stopping TrickBot and other Banking Trojans


TrickBot is a banking trojan that originally emerged in 2016 and has been a global problem ever since with its multiple forms and variances. By design, TrickBot is modular in nature which is largely responsible for its massive success. Evan as the security industry made progress in detecting and responding to TrickBot, the attackers easily swapped out the detectable modules which changed the means of initial compromise, propagation, persistence, encryption, and even objectives without having to create an entirely new trojan. This made Trickbot extremely evasive and persistent in nature.

TrickBot have been seen infecting victims using Spam campaigns, Phishing emails, and EternalBlue exploits (MS17-010). After a successful breach, users would likely not see any indication of compromise. Instead, TrickBot was designed to stay silent in the background, silently eavesdropping on all user activity and always prepared to steal credentials, banking and credit card information, personal identifiable information, cryptocurrency to mention a few. Upon capturing information of value, TrickBot exfiltrates this data via its extensive Command and Control (C2) infrastructure.

TrickBot may be sitting on a compromised Windows host used to administer backend systems running in an AWS VPC environment. It may also be actively expanding laterally from the initial compromise to additional systems within the environment, using illicit means such as EternalBlue exploit (MS17-010), EternalRomance, and EternalChampion, as well as legitimate means such as open Server Message Block (SMB) shares.


While seemingly harmless or even legitimate, a user opens a spam email that includes a malicious Word attachment containing macro code. If the attachment is opened, the macro code would execute causing the system to download TrickBot from an external server and infect the client. Once infected, the compromised client will attempt to reach out to Command and Control (C2) nodes for node registration and further instructions.

CTS-AI monitors NTT’s internet backbone to unravel the TrickBot infrastructure and proactively detects infected clients, C2 Nodes, and Bot Masters. It swiftly stops outbound C2 activity that follow the initial compromise including attempts to pass through the client’s Proxy located in the monitored VPC environment.

Consequences Avoided

Depending on the loaded modules, had Trickbot been fully activated it would have either attempted to exfiltrate valuable information from the infected client or moved laterally within the clients VPC environment to further compromise other systems, partners and even clients.

CTS-AI’s unique advantage comes from NTT’s unparalleled insights into the global threat landscape. These insights are continuously fed into CTS-AI as threat intelligence and proactive coverage. Monitoring a significant percentage of all internet traffic traversing the globe, these insights unravel the infrastructures used by threat actors allowing CTS-AI subscribers to effectively manage trojans like TrickBot.