Last-minute paper: Turning Trickbot: decoding an encrypted command-and-control channel

Thursday 5 October 12:00 - 12:30, Red room

Andrew Brandt (Symantec)

Trickbot, which appeared this year, seems to be a new, more modular, and more extensible malware descendant of the notorious Dyre botnet trojan. Like Dyre, Trickbot communicates with its command-and-control network over TLS-encrypted channels, which it uses both to exfiltrate an enormously detailed profile of the infected machine and any stolen data, as well as to receive payloads and instructions.

This session will comprise a walkthrough of a typical Trickbot infection process, and its aftermath, as seen through the lens of a tool used to perform man-in-the-middle decryption. To collect this information, I infected a number of both virtual and bare-metal devices with Trickbot and then permitted the infected machines to beacon for anywhere from a few hours to a few weeks, all the while MITM-ing the traffic and recording it on a retrospective analysis tool. Finally, we will report our observations about the general behavioural rules that Dyre follows, and offer practical advice to incident responders or malware analysts who might need to identify a Trickbot infection, or deal with the consequences of its aftermath.




Andrew Brandt

Andrew Brandt, Symantec’s Director of Threat Research, is a former investigative reporter turned network forensics investigator and malware analyst. At Symantec, Brandt uses his knowledge about the behaviour of malicious software to profile identifiable characteristics of undesirable or criminal activity. His analysis techniques seek to determine general principles that can help analysts and defenders rapidly and comprehensively identify the root cause of infection and data loss, putting real-time network data analysis at the front line of prevention.


   Download slides    Watch video






Other VB2017 papers

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.