Trojan.Win32.Trickster (also known as TrickLoader and TrickBot) is capable of infecting 32- and 64-bit versions of Windows. The Trojan is generally small in size (less than 500 KB) and does not use additional packaging or encryption for the main body. Judging by the protocol used to communicate with the command-and-control server, the malware was rewritten from the source code for Dyre (Dyreza) but, unlike Dyre, is able to perform web injects.
The main body of Trojan.Win32.Trickster contains the following characteristic strings in Unicode format:
A characteristic and easily identifiable trait of the malware is the presence of the “TrickLoader” string in the User-Agent field of network packets.
A file with the list of command-and-control servers for Trojan.Win32.Trickster is stored in encrypted form in resources. The AES encryption algorithm is used for decrypting the list as well as modules received from command-and-control servers. The key consists of a hash in RSA-256 format.
Currently known information about the modules used by the malware:
Geographical distribution of attacks by the Trojan.Win32.Trickster family
Top 10 countries with most attacked users (% of total attacks)
* Percentage among all unique Kaspersky users worldwide attacked by this malware