21.09.2025
11 min
786
TrickBot is one of the most dangerous banking Trojans of the last decade. It spreads through phishing emails, malicious attachments, and exploits in systems, penetrating both home PCs and corporate networks. Its modular structure makes it particularly flexible: different modules are responsible for stealing passwords, accessing online banking, spreading within the local network, and delivering other malicious programs. The article discusses the main distribution methods, signs of infection, potential risks for users and companies, as well as cyber security tips that will help you detect and block the Trojan in time.
TrickBot (or “TrickLoader”) is a notorious banking Trojan that attacks both businesses and consumers to obtain their data, such as banking information, credentials, personally identifiable information (PII), and even Bitcoin. As a highly modular malware, it can adapt to any environment or network it finds itself in.
The many tricks this Trojan has pulled since its discovery in 2016 are due to the creativity and ingenuity of its developers. In addition to stealing, TrickBot has gained the ability to laterally infiltrate and establish itself in an affected network using exploits, spread its copies via Server Message Block (SMB) shares, distribute other malware, such as the Ryuk ransomware, and search for documents and media files on infected computers.
Like Emotet, TrickBot reaches affected systems as embedded URLs or infected attachments in malicious spam campaigns (malspam).
Once launched, TrickBot spreads laterally across the network by exploiting an SMB vulnerability using one of three widely known NSA exploits: EternalBlue, EternalRomance, or EternalChampion.
Emotet can also drop TrickBot as part of a secondary infection.
TrickBot started out as a bank credential stealer, but there was nothing simple about it — even from the start.
When Malwarebytes researchers first discovered TrickBot in 2016, it already had attributes not typically seen in “simple” credential stealers. It initially targeted financial services and users to obtain banking information. It also distributes other malware.
TrickBot is reputed to be the successor to Dyreza, another credential stealer that first appeared in 2014. TrickBot shared features with Dyreza, such as certain variables with similar values and the way TrickBot’s creators configured the command and control (C&C) servers that TrickBot interacts with. This led many researchers to believe that the person or group that created Dyreza also created TrickBot.
In 2017, the developers included a worm module in TrickBot, which we believe was inspired by successful ransomware campaigns with worm-like capabilities such as WannaCry and EternalPetya. The developers also added a module to collect Outlook credentials. Why Outlook? Well, hundreds of organizations and millions of people around the world routinely use this webmail service. The range of data that TrickBot steals has also expanded: cookies, browsing history, visited URLs, Flash LSOs (local shared objects), and much more.
While these modules were new at the time, they were not well-coded.
In 2018, TrickBot continued to exploit the SMB vulnerability. It also came with a module that disables Windows Defender real-time monitoring using a PowerShell command. While it also updated its encryption algorithm, the rest of the module’s functionality remained the same. TrickBot developers have also begun to protect their code from being dismantled by security researchers by adding obfuscation elements.
At the end of the year, TrickBot was recognized as a top business threat, overtaking Emotet.
TrickBot developers made some changes to the Trojan again in 2019. In particular, they changed the way the webinject function works against US mobile operators Sprint, Verizon Wireless, and T-Mobile.
Recently, researchers have noticed an improvement in the method of evasion of this Trojan. The Mworm module, responsible for spreading its copy, has been replaced by a new module called Nworm. This new module modifies TrickBot’s HTTP traffic, allowing it to run from memory after infecting a domain controller. This ensures that TrickBot leaves no traces of infection on affected machines.
At first, it seemed like TrickBot could target anyone. But in recent years, its targets have become more specific, such as Outlook or T-Mobile users. TrickBot sometimes masquerades as tax-related spam during tax season.
In 2019, researchers at DeepInstinct discovered a repository of harvested email addresses and/or instant messaging credentials for millions of users. They belonged to Gmail, Hotmail, Yahoo, AOL, and MSN users.
Understanding how TrickBot works is the first step to understanding how organizations and consumers can protect themselves from it. Here are a few other things to keep in mind:
Look for possible indicators of compromise (IOCs) by running tools specifically designed for this purpose, such as the Farbar Recovery Scan Tool (FRST). This will help you identify infected machines on your network.
Once you have identified the machines, isolate the infected machines from your network.
Download and install patches that address the vulnerabilities exploited by TrickBot.
Disable administrative shares.
Change all local and domain administrator passwords.
Protect yourself from TrickBot infection with a multi-layered cybersecurity program. Malwarebytes’ business and premium consumer products detect and block TrickBot in real time.
TrickBot isn’t perfect, and (as we’ve seen) the developers can be careless at times. The important thing is that it can be removed.
Here’s what you need to do:
Disconnect the computer from the network — to stop the spread in the local infrastructure.
Boot the PC in Safe Mode (Safe Mode with Networking).
Scan the system with antivirus / antimalware (Malwarebytes, Kaspersky, ESET, Microsoft Defender Offline).
Report suspicious files and tasks in the Scheduler (Task Scheduler) that the Trojan created.
Clean the registry and autoruns (msconfig, Autoruns) from unknown processes.
Update all passwords (banking, mail, work accounts) from another, clean device.
Check the network for other infected machines — TrickBot often “returns” from infected neighbors.
Install all Windows updates and close SMB vulnerabilities.
TrickBot is not just another banking Trojan, but a complex, modular malware that has evolved over the years into a platform for large-scale attacks. It demonstrates how sophisticated modern threats can be: from stealing banking data and accounts to spreading ransomware and completely compromising corporate networks.
The main lesson for users and organizations is the importance of multi-layered protection: regular system updates, using reliable antivirus solutions, being careful with emails, and limiting administrative rights help reduce the risk of infection.
