FortiGuard Labs Threat Research

I’ve Got Trickbot Under My Screen

By Floser Bacurio and Joie Salvio | May 23, 2018

More than a week ago, FortiGuard Labs spotted yet another new module being distributed by the very active Trickbot banking malware using a technique called “Hidden VNC” (virtual network computer) to stealthily take control of a victim’s machine. Trickbot was first seen using a similar feature embedded in one of its modules in the middle of last year. At that time, as reported in an article in Malwarebytes, it was used by threat actors to collect the browser fingerprint of a victim. This new module no longer has this behaviour, not readily at least. Actually, if this new module works well, that old feature may not be needed anymore, as we discuss in this article.

Fingerprint Not Needed

Hidden virtual network computing is not at all new in the malware scene. It is a tactical way for malware to gain user-level access to an infected device and control it remotely without the victim’s knowledge. Malware researcher MalwareTech wrote a nice article about this technique way back in 2015. We’ve seen this technique being used in the past by other financial malware, and it is commonly utilized by RATs (Remote Access Trojans.)

Basically, the malware creates another instance of a desktop (virtual desktop), which is a feature that has been in Windows for a long time. But since there was no built-in application to manage the feature prior to Windows 10, this was not mainstream knowledge. It uses this VNC system to remotely view and control a victim’s desktop. Since this newly created desktop is hidden, an attacker can control the targeted system without the victim noticing.

To reveal the desktop created by this malicious Trickbot module, we used the CmdDesktopSwitch tool. In this case, the malware created a desktop named “AlterDesk01”.

Fig.1 CmdDesktopSwitch lists all created desktops

After the malware creates the hidden desktop, it is further customized with the addition of popup menus and a taskbar. Some files from the victim’s default desktop are also replicated.

One of the two popup menus serves as an easy access to the following pre-defined applications:

·       Explorer – open system’s root directory

·       Internet Explorer

·       Edge

·       Chrome

·       Firefox

·       Outlook Office (disabled)

·       Windows Sheduler (MMC) – Task Scheduler with GUI

·       Windows Sheduler (Console)

Microsoft Outlook Office is currently disabled by default, which suggests that the module is still under development. Aside from that, menu items appear grey if the assigned application does not exist in the system, just like Edge in the next image.

Fig.2 Hidden desktop with popup menu and taskbar

A simple popup menu for the processes in the taskbar is also added to in order to terminate processes and restore windows.

Fig.3 Taskbar popup menu for opened processes

In order to ensure that online banking requests are legitimate, financial institutions generate a unique identification of their clients’ devices, also known as device fingerprinting. The information used may include such things as the client’s IP address for geo-location tracking, browser settings, and OS-specific details. This is to make sure that their clients are logging in from a trusted device. Usually, in order for threat actors to use a victim’s accounts from their own device, they must go through the tedious process of using proxies and replicating their victim’s device configurations in order to spoof a legitimate device fingerprint. The other option, of course, is to find a way to login using the victim’s actual device. Trickbot seems to favour the latter, which is not at all surprising. In the first place, even prior to the downloading and execution of this module, the malware has already established a solid foothold in the victim’s system, as discussed in our previous analysis of its main infection routine. Adding this new hVNC module simply leverages that foohold in order to simplify the process of logging into the victim’s financial institution.


We’ve been constantly monitoring Trickbot for a while now, and after all the numerous modules that the perpetrators have distributed to their victims over time through download-and-execute method, it’s interesting to see them now switch to a more direct method for controlling an infected system. Although it appears that the module is still in the early stages of development, it wouldn’t be surprising if they go all out in turning this to a full RAT module.

As always, FortiGuard Labs will continue to track this malware campaign and will provide updates as they become available.

-= FortiGuard Lion Team =-



Fortinet users are protected using the following solutions:

·       Trickbot components are detected by FortiGuard Antivirus

·       FortiSandbox rates Trickbot execution as “High Risk”

·       Malicious download URLs and C2s are blocked by our FortiGuard Web Filtering Service.

FortiGate’s Application Control can also be configured to block VNC traffic. Refer to this link for instructions. Simply replace ‘Tor’ with ‘VNC’, as shown in the next figure.

Fig.4 Added VNC traffic to FortiGate Application Control block list



169109e25916e31dd1210fb1afaae1d25158b8ce7d3cbc1a753e93062ac6a803 (W32/Trickbot.KAD!tr)

bbb07a409e76efc49fcb858c7207808dd3df55952334db0f3aa6b783c9c0d973 (W32/Trickbot.KAD!tr)



Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.