It's baaaaaaack.
Since inception in late 2016, the TrickBot banking trojan has continually undergone updates and changes in attempts to stay one step ahead of defenders. While TrickBot has not always been the stealthiest trojan, its authors have remained consistent in the use of new distribution vectors and development of new features for their product. On March 15, 2018, Webroot observed a module (tabDll32 / tabDll64) being downloaded by TrickBot that has not been seen in the wild before this time.
It appears that the TrickBot authors are still attempting to leverage MS17-010 and other lateral movement methods coupled with this module in an attempt to create a new monetization scheme for the group.
We go in depth on our blog into the behavioral analysis of TrickBot and provide insight into what might happen next.
Sound off in the comments! We want to hear from you and what you've heard about TrickBot. What do you think?
