TrickBot¶

1. Open Target Process (OpenProcess)

2. Allocate memory (VirtualAllocEx)

3. Copy function into allocated memory (WriteProcessMemory)

4. Copy shellcode into allocated memory (WriteProcessMemory)

5. Flush cache to commit changes (FlushInstructionCache)

6. Create a remote thread (CreateRemoteThread)

7. Resume the thread or fallback to create a new user thread (ResumeThread or RtlCreateUserThread)

Resources¶

Most recent first:

Trickbot¶

• VB2017: Turning Trickbot: decoding an encrypted command-and-control channel

• Uperesia: How Trickbot tricks its victims

• Flashpoint: With a boost from Necurs, Trickbot expands its targeting to numerous U.S. financial institutions

• MalwareBytes: Trick Bot – Dyreza’s successor

• Sentinel:How TrickBot Malware Hooking Engine Targets Windows 10 Browsers

Dyre(za)¶

• VB2015: Speaking Dyreza protocol. Advantages of ‘learning’ a new language

• Blueliv: Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers

Counter moves¶

TrickBot chained injection and modular payloads as a case study in blending in. Its defensive lesson is behavioural detection on the chain, not signatures on each part. Seen from the other side, this sits in the blue notes on plausibility as cover.