Hackers are getting more creative in designing malware to make them more powerful, more dangerous, and more effective. A malware that steals passwords or logs your keyboard activities now seem elementary. You need to be on the level of a ransomware or a crypto-miner to be able to stand out in this competitive industry.
Because of this trend, malware entities just keep on getting more aggressive and complicated as time goes by. One perfect example is the TrickBot malware. This malware was designed to compromise emails and has been around for quite some time. In fact, the TrickBot malware has compromised 250 million email accounts so far.
The TrickBot malware has been around since 2016. But instead of dwindling down or disappearing, the malware remained strong and has evolved over the years. It is even considered one of the top threats targeting businesses today. The recent years have seen the malware evolve and add new functionality that makes it a lot scarier than it used to be.
What Can the TrickBot Malware Do?
TrickBot is originally a banking Trojan, just like the Emotet malware. It is designed to steal banking and other financial information from the infected computer. It is usually spread through spear phishing emails sent to unsuspecting staff of organizations or companies. For example, it could disguise itself as a fake resume sent by an applicant to the human resources staff or a bogus invoice sent to the accounting department. The TrickBot malware hides itself in the infected Microsoft Word or Excel file attached to the email.
Once the malware got in, it can easily spread through the organization in a lot of ways. The easiest way is by exploiting vulnerabilities in the Server Message Block (SMB), a file sharing protocol used by companies. It allows Windows users in the same network to share and access files easily.
According to security experts at DeepInstinct, TrickBot has evolved into a “robust, elaborate and sophisticated threat, multi-purposed for various types of malicious activity.” They discovered a variant of the TrickBot malware, called TrickBooster, a malicious email-based distribution module that harvests emails and contacts from the infected computer’s address book and email accounts. The malware then sends out spam emails from the user’s email account and deletes the sent messages to avoid detection. This is how the malware propagates quickly and harvest email accounts for monetization purposes.
In summary, the TrickBot malware works in four stages:
- The victim’s computer gets infected with TrickBot and receives instruction from the TrickBot control server to download TrickBooster.
- The downloaded TrickBooster then reports back to the control server and sends out lists of harvested email addresses and login credentials from the infected computer.
- The TrickBooster control server then instructs the malware bot to send out malicious emails from the victim’s email accounts.
- The TrickBooster bot sends out spam emails to spread the malware further.
According to DeepInstinct’s investigation, the TrickBot malware’s database contained about 250 million email addresses that had been recently harvested. Of the 250 million email addresses, 25 million came from Gmail, 21 million from Yahoo!, 11 million from Hotmail, and 10 million from AOL and MSN. The rest of the entries came from email domains owned by companies and government agencies. There were even email addresses harvested from the US Department of Justice, Homeland Security, IRS, NASA, and ATF.
How to Protect Your Computer Against TrickBot
Prevention is better than cure, and this concept perfectly applies to the TrickBot malware. You see, this malware is very sneaky and can be very difficult to detect. Since it deletes all sent messages, you won’t be able to notice anything unless someone whom the spam email was sent to notify you about it. In this case, being vigilant is the best form of protection against this tricky malware.
Here are some tips to prevent TrickBot from infecting your computer and protect your data:
- Install all available Windows updates. Microsoft releases the latest security patches through Windows Update so make sure to install them when available. You can also manually check Windows Update by going to Settings > Update & Security > Windows Update. Click the Check for Updates button to see if there are new updates that need to be installed.
- Update your antivirus software, including those from computers connected to the same network.
- Be wary when opening emails, especially those with attachments. Phishing emails is the number one mode of distribution of the TrickBot malware so pay close attention to unusual emails that you receive. If you get an email from a domain outside of your company network and the topic of the email is work-related, research the domain first to verify if the email is legitimate. It can be very difficult to determine the authenticity of the email since malware usually imitates real businesses to trick users into opening them.
- Don’t give out your login credentials. Some TrickBot attackers target PayPal users and trick them into giving out their login information. If you click a link and you are asked to sign in, whether it’s PayPal, email, or other accounts, close the browser immediately.
How to Remove the TrickBot Malware
As mentioned earlier, TrickBot is very tricky to deal with. It is one of the biggest cyber threats today and getting rid of it requires a lot of effort and attention. This type of Trojan knows how to hide well, so you need to be thorough when eliminating this malware. It usually hides the malicious files deep inside the system, making it hard to detect and remove.
If you suspect your computer to be infected with the TrickBot malware, follow the guide below on how to manually delete it and make sure it doesn’t come back.
Step 1: Boot into Safe Mode.
Booting into Safe Mode disables all unnecessary third-party processes so you can easily distinguish the suspicious processes running on your computer. To boot into Safe Mode, follow the steps below:
- Click Start, then click the power button icon at the bottom left corner of the menu. This would reveal the power options menu.
- Hold down the Shift button on your keyboard, then click Restart.
- Your computer will then restart and go into Safe Mode.
Step 2: Uninstall Suspicious Programs.
Most malware installs other malicious software on your computer. In the case of TrickBot, it downloads and installs the TrickBooster to harvest email addresses and contact information on the infected computer. You need to check which programs installed on your computer are legitimate and which are suspicious.
To uninstall suspicious apps from your computer, do the following:
- Open Run by pressing the Windows + R buttons together.
- Type appwiz.cpl into the dialog box, then click OK. This would open the Control Panel.
- Look for programs that you did not install, then uninstall them.
Step 3: Disable Suspicious Startup Entries.
TrickBot, just like other malware, is designed to run when the system loads. You need to check your startup items to discover if there are unfamiliar processes being loaded during startup.
To do this:
- Open Run by pressing the Windows + R buttons together.
- Type msconfig into the dialog box, then hit Enter. This should open the Services window.
- Click on the Startup tab.
- Look for entries with Unknown under the Manufacturer category and uncheck them.
Step 4: Kill Suspicious Processes.
Aside from disabling suspicious startup entries and uninstalling bogus programs, it is also important to check which processes running on your computer are malware. You need to kill these processes immediately and delete the directories where their files are hidden. To do this:
- Press Ctrl + Shift + Esc to open Task Manager.
- Click on the Processes tab.
- Determine which processes are malware entities by Googling them.
- Right-click on the suspicious process, then choose Open File Location. This should open the directory where the process’ files are located.
- Go back to Task Manager, right-click on the suspicious process again and click End Process.
- Go back to the open folder and delete all files.
Step 5: Scan Your Computer Using Anti-Malware.
To get rid of TrickBot, it is recommended to scan your computer and its directories using your updated anti-malware software. Once detected, follow the instructions to completely get rid of the TrickBot malware.
Step 6: Delete Left-Over Files.
One of the reasons why TrickBot is hard to remove is because it hides its files really well. You need to make sure that all files associated with the malware has been deleted to prevent it from coming back. These files are usually hidden in directories with random names. You can search these folders to see if there are any TrickBot left-over files lurking behind:
- %AppData% folders, especially the Roaming folder
The TrickBot malware shows us how a simple malware can adapt to new technologies and level up their game. Vigilance and awareness is the number one protection against persistent and hard-to-detect malware such as TrickBot. If you think that your system has been infected, follow our guide above to completely remove the TrickBot malware from your computer.