TrickBot

1. Open Target Process (OpenProcess)

2. Allocate memory (VirtualAllocEx)

3. Copy function into allocated memory (WriteProcessMemory)

4. Copy shellcode into allocated memory (WriteProcessMemory)

5. Flush cache to commit changes (FlushInstructionCache)

6. Create a remote thread (CreateRemoteThread)

7. Resume the thread or fallback to create a new user thread (ResumeThread or RtlCreateUserThread)

Resources

Most recent first:

Trickbot

• VB2017: Turning Trickbot: decoding an encrypted command-and-control channel

• Uperesia: How Trickbot tricks its victims

• Flashpoint: With a boost from Necurs, Trickbot expands its targeting to numerous U.S. financial institutions

• MalwareBytes: Trick Bot – Dyreza’s successor

• Sentinel:How TrickBot Malware Hooking Engine Targets Windows 10 Browsers

Dyre(za)

• VB2015: Speaking Dyreza protocol. Advantages of ‘learning’ a new language

• Blueliv: Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers