TrickBot is a banking Trojan that targets the Windows operating system. The Trojan’s focus is to steal banking information and is spread through spam campaigns. It can then spread laterally using the EternalBlue exploit (MS17-010). It is also able to harvest emails and credentials and is adding new features as it continues to develop. This includes the ability to extract VNC, PuTTY and RDP credentials. TrickBot has evolved to become one of the most dangerous pieces of malware today.
Symptoms of an infection are not easily detected by the end user. TrickBot will gain its persistence through the use of scheduled tasks.
Remediation:
- Remove the infected device from the network.
- Run virus scans to identify and remove the threat
- Patch for EternalBlue
- Disable administrative shares
- Change the credentials on the account
- MOREnet Cyber Security recommends a complete wipe and reimage of the device
Resources:
TrickBot Banking Trojan Now Steals RDP, VNC and PuTTY Credentials