Back to Blog

Old banking Trojan TrickBot has been taught new tricks

April 3, 2020

By: mirabiliscorp

The TrickBot Trojan has been upgraded with new modules to make detection, and defense, more difficult.

First discovered in 2016, TrickBot is a financial Trojan which targets the customers of major banks.

The Trojan is most commonly connected to phishing campaigns which trick users into entering their credentials into phishing and fraudulent banking websites, designed to appear as legitimate services.

Online banking customers from the US, UK, Australia, and other countries are commonly targeted.

The malware has “continually undergone updates and changes in attempts to stay one step ahead of defenders,” according to researchers from Webroot.

Now, a new module has been installed which not only makes discovery more difficult but utilizes a locking system akin to ransomware.

The Trojan already attempts to use the Microsoft Windows vulnerability EternalBlue to infect systems, which has been linked to campaigns including the disastrous WannaCry campaign of 2017.

In a blog post on Wednesday, researchers from the cybersecurity firm said that on 15 March, Webroot noticed a new module, tabDll32 / tabDll64, which was downloaded by TrickBot in the first example of the system being utilized in the wild.

The module, known internally as spreader_x86.dll, contains two new executables which enhance the malware’s capabilities.

When TrickBot has compromised a system, it installs itself into a TeamViewer directory and executes, creating a “Modules” folder which stores encrypted plug-and-play modules the malware relies upon.


This image has an empty alt attribute; its file name is banner.png

Contact us

Safety is essential to your decision making. We are sure that our team can clarify any doubts. After all, we understand security.

Follow us


Contact Us
First Name*
Last Name*
Mobile Number*
Tell us what do you need* ?
Products: Hold CTRL+Click to add more than 1.* ?
I agree to the Privacy Policy and Terms of Service.