New TrickBot Now Spreads via Dropbox

Computer security experts have dealt with the Trickbot Trojan infection before. This is a rather dangerous infection that targets financial institutions. Such malware programs have a tendency to regroup and come back once in a while. It seems that now is the time for Trickbot to make that comeback. This time, it comes back imitating Dropbox. It is rather obvious as to why the Trojan is using Dropbox to reach its targets: the service had more than 500 million registered users by March 2016, so it offers a really wide range of potential victims. Why wouldn’t a malicious infection make use of that?

How does the new Trickbot version spread?

This new version of Trickbot reaches its targets via spam email. The spam email message that carries the infection looks like a legitimate notification from Dropbox, so it is very likely that it is not filtered straight into your Junk folder, and it lands in the same folder where all of your other Dropbox emails drop. The spoofed Dropbox email comes with the Subject line that says “A new document is available for download.” The body of the email even contains a unique download key, so it might seem that you really have a new important corporate document waiting for you to download it. So it takes just one click to get infected with Trickbot.

How does the infection occur?

So let us say you click the link on the fake Dropbox email, and you download the payload file. What happens then? The file surely looks like an MS Word document file, and most of the users would not think twice before clicking it open. There is a chance that the infection would not load for you, however, if you do not have the macro code function enabled. Most of the malware infections that reach their targets this way (either from fake MS Word or MS Excel files) require the macro function to be enabled to load.

It is also very likely that most of the individual users will not have the macro function enabled, and they will avoid this infection. Nevertheless, corporate computer systems are bound to have most of the Microsoft Office functions enabled, and thus they are more likely to get infected with this version of TrickBot. So if you open the downloaded file on a computer that has macros enabled, you will cause a chain of reaction that will allow the infection to retrieve the main TrickBot payload. Then the infection arrives at your computer in several modules that have encrypted configuration files. It also creates a new task in the %AppData% directory that launches the infection the next time you restart your computer.

How is the new TrickBot banking Trojan different from the old one?

According to computer security specialists, the new modules that this Trojan comes with are more sophisticated, so it is harder and to detect it and to protect yourself from it. Just like most of the banking Trojans, this infection intends to steal bank user’s credentials by tricking them into entering their personal data into fake websites that look like legitimate online banking pages.

While the intention of TrickBot remains the same (it wants to steal your money), this program comes with a new locking system that is commonly used by ransomware. Security experts also point out that the Trojan might be exploiting the same EternalBlue vulnerability that was used by the WannaCry infection last year. It could be that these locking mechanisms are still under development, but the researchers at the Webroot Threat Blog suggest that one of the Trojan’s executable files does attempt to lock the infected computer. And normally, we associate such behavior with ransomware infections.

Webroot goes on to say the following:

Locking a victim’s computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for a credit card or bank theft. However, extorting victims to unlock their computer is a much simpler monetization scheme.

Thus, the main difference between this and the previous versions of the TrickBot Trojan is that its developers are choosing the easier path towards a financial profit. While users often are not aware when their credentials are stolen, it requires more effort. Whereas, it is a lot easier to simply bully the infected users into paying the money to unlock their system. We can assume here that other banking Trojans will become more aggressive in the future, too. Therefore, security measures that would protect users and corporate systems from such attacks become extremely important.

How to avoid TrickBot?

If we are talking about this exact infection here, then it is clear that you should delete suspicious emails that look like Dropbox notifications. Or, if you think that the document in the email is really important, you can double-check with the supposed other half which “sent” you the file. Finally, you can always scan the downloaded file with a security program that would detect anything fishy immediately.

If we are talking about banking Trojans (or other infections, for that matter) in general, then we have the usual checklist that contains things most of the computer users should be aware of. Unfortunately, they often fail to realize the importance of those points.

For example, the number one thing is that all of your software should be always up-to-date. While there are a lot of users who choose to turn off the automatic update option that is not a wise decision because updates also often come with security patches that fix vulnerabilities that could be exploited by malware.

Also, you need to be careful about the emails you open and the files you download. Always keep a security program at the ready, and then do not forget to backup most of your important data. Perhaps you like to use an external drive for that, maybe you keep copies of your files on a cloud server. Either way, a file backup is necessary in the case of a severe infection that could destroy your data.

Strong passwords, software permissions, and security tools are also important constituents of your system’s safety. There are a lot of users out there who prefer using one password for almost all of their accounts, but that is obviously a dangerous tendency that could lead to severe security breaches. As far as security applications are concerned, you can choose one based on your needs, but if you have more questions about it, feel free to contact us by leaving a comment below.


  1. Jason Davison. TrickBot Banking Trojan Adapts with New Module. Webroot.
  2. Rene Millman. Trickbot banking malware has new trick up its sleeve. SC Media.
  3. Catherine Osborne. Old Banking Trojan TrickBot has been taught new tricks. ZDNet