National Cyber Security Centre
How organisations can protect their networks from the ‘Trickbot’ banking trojan.
What is Trickbot?
Trickbot is an established banking trojan used in cyber attacks against businesses and individuals in the UK and overseas. Trickbot attacks are designed to access online accounts, including bank accounts, in order to obtain personally identifiable information (PII). Criminals use PII to commit identity fraud.
In some cases, Trickbot is used to infiltrate a network. Once inside it can be used to deploy other malware, including ransomware and post-exploitation toolkits.
Trickbot targets victims with well-crafted phishing emails, designed to appear as though sent from trusted commercial or government brands. These emails will often contain an attachment (or link to an attachment) which victims are instructed to open, leading to their machine being exploited.
What can Trickbot do?
Trickbot can download new capabilities onto a victim’s device (as well as updating those it has already deployed) without interaction from the victim.
- steal sensitive information, including banking login details and memorable information
- gather detailed information about infected devices and networks
- steal saved online account passwords, cookies and web history
- steal login credentials for infected devices, including domain credentials
- connect infected devices to malicious, criminally-controlled networks over the internet, giving criminals full control of them
- spread across a victim’s network by infecting other devices, including those on trusted domains (known as lateral movement), often using SMB shares
- download further malicious files such as Remote Access Tools, VNC clients and ransomware
Dealing with a possible Trickbot infection
Victims of Trickbot have observed a number of malicious activities, including:
- unauthorised access attempts to online accounts
- successful, fraudulent bank transfer activity
- unauthorised changes to their network infrastructure
To protect business and personal banking facilities (including where employees have accessed personal banking from work devices) you should:
- consider changing passwords and memorable information for any corporate, business or personal internet banking facilities (or other online resources) accessed from the infected network
- review bank and credit card statements for suspicious activity, and report any findings to your bank
- advise any employees who have accessed online banking facilities from the affected network to do likewise
If you (or your employees) have been the victim of fraud, report it to Action Fraud.
Protective action to take now
Run a full scan on all devices using up-to-date antivirus software, such as Windows Defender. This should detect and remove any Trickbot infection.
- Use the latest supported versions of operating systems and software, apply security patches promptly, use antivirus and scan regularly to guard against known malware threats.
- Keep antivirus software up to date, and consider the use of a cloud-backed antivirus product that can benefit from the improved threat intelligence and advanced analysis which large scale operations bring. Ensure that antivirus software is capable of scanning MS Office macros.
- Make sure important data is stored in an offline backup, to reduce the impact of ransomware.
- Use multi-factor authentication (MFA), also known as two-step verification or 2-factor authentication (2FA).
- Prevent and detect lateral movement in your enterprise networks.
- Implement architectural controls for network segregation. This would help mitigate the exposure of the SMB issues described above.
- Set up a security monitoring capability so you can collect the data needed to analyse network intrusions.
- If supported by your operating environment, consider whitelisting permitted applications. This will help prevent malicious applications from running.
Latest News from
National Cyber Security Centre
New look scheme protects businesses from cyber attack01/04/2020 16:15:00
IASME Consortium takes over delivery of the government-backed Cyber Essentials certification scheme.
Schoolgirls from Bath crowned UK's cyber champions18/03/2020 17:02:00
CyberFirst Girls Competition 2020 winners crowned at the Grand Final in Cardiff.
NCSC issues guidance as home working increases in response to COVID-1918/03/2020 09:15:00
Advice to help organisations manage the cyber security challenges of increased home working.
Cyber experts step in as criminals seek to exploit Coronavirus fears16/03/2020 12:25:00
Experts at the NCSC have revealed phishing attacks exploiting worries over COVID-19
Watch this cyberspace! Schoolgirls aim for UK codebreaker crown10/03/2020 11:15:00
The CyberFirst Girls Competition 2020 is set to take place and crown schoolgirl codebreakers.
Consumers urged to secure internet connected cameras04/03/2020 11:15:00
Advice has been published by the NCSC for consumers to help secure internet connected cameras.
Registration opens for CYBERUK 202027/02/2020 09:10:00
The UK Government’s flagship cyber security event CYBERUK 2020 has opened its doors for registration.
UK cyber entrepreneurs to meet world's experts in Silicon Valley25/02/2020 11:15:00
Seven companies from the NCSC's Cyber Accelerator programme to pitch to prospective clients at the IT security conference.