In first week of August 2017, malspam activity was observed delivering the Trickbot banking trojan, which has been heavily active this summer and has now once again evolved.
Beginning in 2011, Trickbot actors began targeting banks from countries like UK and India, but it has since expanded its range of countries and victims to include PayPal and Customer Relationship Management (CRM) providers. Trickbot has also consistently evolved, recently adding new evasion techniques, browser manipulation tools, modules targeting Microsoft Outlook data, and now worm functionality.
Primary delivery of the malware has been attributed to the Necurs botnet and also sometimes RIG exploit kit. In the case of this most recent delivery, malspam delivered a MS Word document (File name: SecureMessage.doc) that contains embedded and obfuscated macros recorded in VBA along with a Santander bank decoy.
This document contains malicious VBA code and What's This File gives it a maximum threat score. The VBA code analysis shows main indicators as “VBA Code Contains Reference to Code Execution” and “VBA Code Contains Auto-Launch Scripts”.
As visible below, the cleansed VBA code contained within the document uses Shell to launch an executable.
Use of Chr in VBA code suggests possible obfuscation of specific strings:
Upon opening, the attachment attempts to download a PNG file (Filename: nologo.png) that is actually an executable and the TRICKBOT payload. The first attempt to download our PNG file from lexpertpret[.]com actually failed, but a second attempt out to hvsglobal[.]co[.]uk was successful in downloading and then saving to 'C:\Users\student\AppData\Local\Temp\ywbltmn.exe'.
NetWitness provides visibility and characterizes this activity as malicious into this through some of the more obvious meta tags, such as session.analysis = “first carve not dns”, service.analysis = “http no referer”, and file.analysis = “exe filetype but not exe extension”.
NetWitness Endpoint (aka ECAT) also easily detects this shady behavior. For more details, please refer to FirstWatch's July 2017 work against Trickbot.
The malware’s configuration file carries Command and Control (C2) information as well as other module related settings. In this case, version is 1000030, the group tag is ser801 and systeminfo & injectDll are the two modules the executable will attempt to download from any of the listed C2.
Most of these C2 IPs are known to be associated with devices like Routers and IP Cameras [3]. For example, 84[.]238[.]198[.]166 from our config file appears to be a Router.
This version (1000029) of Trickbot also debuts worm-like capabilities to spread infections via the Eternal Blue exploit of CVE-2017-0144 in Server Message Block (SMB) protocol. To do so, the malware attempts to get servers using NetServerEnum Windows API and then query LDAP to identify computers that are not domain controllers [1]. It is believed that these capabilities are in a testing phase and not yet fully implemented.
Image Source: https://www.flashpoint-intel.com/wp-content/uploads/2017/07/image3.png
With regard to evasion, this new Trickbot codebase also demonstrates new capabilities [4]. Recent Trickbot versions contain blacklist checks for a variety of Defense/Research oriented DLLS, Processes, Filenames, Usernames, Window Names, and also checks if a Debugger is present. On any positive hit, Trickbot exits and uninstall itself.
Image Source: https://www.cyphort.com/wp-content/uploads/2016/07/payload_anti.png
The version 1000030 is also known to have two extra modules then previous versions of Trickbot [2]:
1. module.dll – Written in C++ and it steals information from browsers
2. outlook.dll – Written in Delphi and it steals Microsoft Outlook Data
Presence of Delphi can be assumed by analyzing the dropped EXE file through hybrid analysis:
Post infection, Trickbot uses both “Static Injection” (replace real bank login pages with rogue ones) and “Dynamic Injection” (redirect browsers to C2) to steal victim credentials. Below is an example of a legitmate (left) and rogue page (right), where a Chrome icon indicates some elements in the page are not from secure sources [5]:
Trickbot banking trojan and the group responsible need to be studied with some periodicity, because this successor of Dyre has proven to be capable and ever evolving. All relevant IOCs have been added to the FirstWatch C2 Domains and IPs feeds as available in RSA Live.
Thanks to Kevin Stear and Erik Heuser for their contribution.
References:
[1] https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/
[3] https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf
[4] https://www.cyphort.com/trik-bot-lots-tricks-sleeve/
[5] https://labsblog.f-secure.com/2017/06/13/trickbot-goes-nordic-once-in-a-while/
