Detect Date 12/01/2016
Class Trojan
Platform Win32

Trojan.Win32.Trickster (also known as TrickLoader and TrickBot) is capable of infecting 32- and 64-bit versions of Windows. The Trojan is generally small in size (less than 500 KB) and does not use additional packaging or encryption for the main body. Judging by the protocol used to communicate with the command-and-control server, the malware was rewritten from the source code for Dyre (Dyreza) but, unlike Dyre, is able to perform web injects.

The main body of Trojan.Win32.Trickster contains the following characteristic strings in Unicode format:
• TrickLoader
• Global\TrickBot
• BotLoader

A characteristic and easily identifiable trait of the malware is the presence of the “TrickLoader” string in the User-Agent field of network packets.

A file with the list of command-and-control servers for Trojan.Win32.Trickster is stored in encrypted form in resources. The AES encryption algorithm is used for decrypting the list as well as modules received from command-and-control servers. The key consists of a hash in RSA-256 format.

Currently known information about the modules used by the malware:
• systeminfo – the first module for Trojan.Win32.Trickster
• injectDll – module injected into the browser and used for web injects

Geographical distribution of attacks by the Trojan.Win32.Trickster family

Geographical distribution of attacks during the period from 01 December 2015 to 01 December 2016

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 Australia 17.56
2 USA 6.29
3 United Kingdom 6.17
4 Singapore 4.98
5 India 3.68
6 Russian Federation 3.32
7 Japan 3.20
8 France 3.08
9 Italy 3.08
10 China 2.85

* Percentage among all unique Kaspersky users worldwide attacked by this malware

Find out the statistics of the threats spreading in your region