Skip to content ↓ | Skip to navigation ↓

Researchers believe that an original developer of the Dyre banking trojan helped come up with a new malware bot known as TrickBot.

The research team at Fidelis Cybersecurity quickly noticed that the loader for TrickBot, which has been around since at least September 2016, uses the same custom crypter as Cutwail, a favorite of the group which spread Dyre via spam and social engineering campaigns.

The loader is responsible for determining whether it’s running on a 32- or 64-bit system. After conducting a bit check, it downloads the resources necessary to load up the TrickBot malware.

TrickBot’s loader bit check (Source: Fidelis Cybersecurity)

Those similarities in the crypter aside, it wasn’t until researchers decoded the malware bot that they saw just how closely the two malware families are connected.

As they write in a blog post:

“The bot shows a number of similarities to Dyre but appears to have been rewritten. This assumption is made based on old Dyre code, which would primarily use built-in functions for doing things such as AES and SHA256 hashing. In the recent samples identifying themselves as TrickBot, the code appears to be based on that old code but rewritten to use things such as Microsoft CryptoAPI and COM.”

The Fidelis research team in particular found that both Dyre and TrickBot come with an elliptic curve cryptography (ECC) certificate as well as an onboard config in their resource sections.

TrickBot resource sections (Source: Fidelis Cybersecurity)

They also noticed that early versions of the malware bot appear to download a single module used for harvesting victims’ system information from a plugin server–just as Dyre download modules from a mod server.

That’s not to say TrickBot and the banking trojan are exactly alike, however. The malware bot is considerably stripped down and employs more C++ programming than Dyre. It also uses Microsoft CryptoAPI instead of running a SHA256 hashing routine or AES routine.

But there’s still enough there to have the Fidelis researchers convinced of a connection:

“…[T]here is correlation between the code used in this bot and that from Dyre. As the bot appears in development they are pushing to rebuild their Cutwail botnet in preparation for future spam runs. It’ll be interesting to see if TrickBot can reach or pass its predecessor.”

If they’re right, this will mark one of the first times some hint of Dyre has surfaced since it went offline in early 2016.