Trickbot is not so tricky

Intrusion Team
Jul 17, 2021

They’re baaaaack!

As of this writing, rumor via circular reporting says the Trickbot banking malware group is updating its toolset, and “they’re back!”Circular reporting goes like this: They said that she said that he said that it was reported by researchers who said they heard… you get the picture. It’s quite common in political reporting.And, in cyber reporting, the race is just as fast to earn those clicks.

At this moment, any Google news feed when searching for “Trickbot” under the technology section shows 11 new articles in the past 24 hours. By the release of this blog, there are probably 50 more as everyone jumped on the’s release of their exclusive report with Romanian IT Security firm.I could not help but add one more.

At INTRUSION, we just worry about basic facts and getting the most current and accurate data possible to help protect your network.Case in point: the researcher’s exclusive report with the says Trickbot has a developed a new tool named Diavol – and most importantly – is rebuilding its infrastructure.They have already watched the Trickbot gang come after one of their own honeypots, and it was from here they could watch their new crafts in action. More important is that they could see what cyberinfrastructure it came from.

That last point is key because previous reporting suggests Trickbot suffered a serious blow when Microsoft, working with the U.S. government was able to cripple 94% of their infrastructure. Another case of he said they said reporting, demonstrated that Trickbot’s C2 server network dwindled from 37 servers to 12, and Trickbot went from sending 4,000-5,000 messages per campaign, to around 1,000.

According to the Romanian researchers, it appears that the server network has grown upwards of 140 servers as of 4 July 21.That is significant because a cybercriminal group’s infrastructure is the domain of cyberspace, they use to attack your network.The larger that domain, the more options they have in which to hide their tools, initiate attacks, and launch multiple connections to your network once initial contact is made. So, losing 94% is significant.But increasing it 10X from its lowest point seriously overshadows any attempt by authorities to take down Trickbot.

We think your cyber defense approach must care about that because it is essential to disrupt and kill communications between you and the cybercriminal.And much of that relies on understanding the nature of IP space and how malicious cyber actors create and use infrastructure. In any case, relying on SIEM and periodic internal audits of your IT assets and network are not enough.

While the rest of the cyber defense industry is about to inundate you with decompiled screenshots of how Diavol is coded and explain how it affects a network and infects systems, we are going to worry about the layer of Trickbot’s attack that everyone else seems to ignore. And that layer is the path, the connections from their architecture to yours.As a matter of fact, we have already validated that we kill every published IOC related to Trickbot.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.