Trickbot Malware-as-a-service

Introduction

First identified in late 2016, ‘Trickbot’ evolved from being a well-established banking trojan into a malware-as-a-service (MaaS) threat utilized by both cybercriminals and nation-state threat actors for predominantly financially motivated campaigns.  

Supporting modular components, Trickbot campaigns will differ based on the requirements of the MaaS ‘customer’ with many being used to steal personal and financial data as well as deploying ransomware threats, such as ‘Conti’ and ‘Ryuk’, to victims.  

Seemingly demonstrating that threat actors make use of multiple ‘as-a-service’ offerings and a variety of malicious tools to achieve their goals, Trickbot payloads have been observed as distributed by ‘Emotet’, the banking trojan turned malicious delivery botnet, as well as BazarLoader.  

As such, Trickbot campaigns typically commence with the delivery of malicious emails containing weaponized Microsoft Office attachments that provide download capabilities to install the main payload. These emails make use of common themes, such as invoices or business-related notifications, and have been observed as utilizing COVID-19 lures throughout 2020. 

Traditionally targeting victims in Europe and North America, Trickbot campaigns have targeted individuals and organizations globally, across multiple sectors, and have reportedly infected over one million devices since its discovery. 

Given this, Trickbot has been the target of multiple takedown attempts with the most recent being an operation in October 2020 led by Microsoft’s Digital Crimes Unit (DCU) alongside industry partners. This activity culminated in the ‘elimination’ of a reported 94% of Trickbot’s infrastructure, as of 18 October 2020, although those behind the threat responded by commissioning new servers. 

Whilst the efforts of Microsoft and their partners temporarily disrupted Trickbot during the US-election campaigns, subsequent reports confirm that the botnet has likely returned to full strength and, in addition to undoubtedly creating a ‘whack-a-mole’ situation for takedown efforts, remains an active threat to organizations worldwide.

Modules

In addition to allowing simple updates and new capabilities to be added by those maintaining Trickbot, the modular approach presumably allows each campaign to be tailored to a target victim as well as meeting the needs of each threat actor utilizing this threat. 

Demonstrating a broad range of capabilities, the following modules have been observed as used by Trickbot: 

Data Theft:  

• aDll: Steals the Active Directory (AD) database; 
• cookiesDll: Steals cookie data from web browsers; 
• domainDll: Steals credentials and data from Domain Controllers via LDAP; 
• injectDll & loaderDll: Injects credential stealing elements into web browsers viewing banking websites; 
• MailClient: Steals data from local and web mail clients for use in other malspam campaigns; 
• mailsearcher: Searches for files of a specific type; 
• outlookDll: Steals credentials from Microsoft Outlook; 
• pwgrab: Steals stored passwords from web browsers; 
• squlDll: Gathers email addresses from SQL servers and utilizes ‘Mimikatz’ to scrape credentials from memory; 
• shadnewDll: Custom proxy module from ‘IcedID’ to intercept and modify web traffic used for web-injects on banking websites; 

Lateral Movement:  

• mshareDll, shareDll & tshareDll: Allows lateral movement and enumeration through Server Message Block (SMB) shares; 
• mwormDll, nwormDll, wormDll & wormwinDll: Lateral movement via SMB using the ‘EternalBlue’ exploit; 
• tabDll: Allows propagation via SMB by exploiting vulnerabilities including ‘EternalRomance’ and those covered by Microsoft Security Bulletin ‘MS17-010’; 

Persistence:  

• PermaDll: Reportedly used to gain low-level persistence through a compromised host’s BIOS or UEFI as well as potentially providing remote ‘bricking’ capabilities by erasing or overwriting the firmware;

Reconnaissance:  

• importDll & moduleDll: Gathers data from web browsers including browsing history and cookies; 
• networkDll: Gathers system and network topology information; 
• psfin: Determines if any Point-of-Sale (POS) software is present; 
• Systeminfo: Gathers system information from the compromised host; 

Remote Access:  

• BCClientDll & NewBCtestDll: Reverse SOCKS5 proxy; 
• hvnc & vncDll: Provides remote control through the Virtual Network Computing (VNC) protocol; 
• mexecDll: Provides the ability to download and execute additional payloads; 
• rdpScanDll: Attempts to brute force access to Remote Desktop Protocol (RDP) services; 
• vpnDll: Creates a VPN proxy. 

Recent Campaign

Initial Lure

Providing an indicator of common campaign traits, weaponized Microsoft Excel spreadsheets were observed as delivering Trickbot to victims in multiple mid-December 2020 campaigns.

Likely attached to an email lure masquerading as a legitimate business communication, the victim is presented (Figure 1) with content that claims the spreadsheet has been encrypted by ‘DocuSign’ and requests that the security prompts to ‘Enable Editing’ and ‘Enable Content’ are clicked to allow ‘decryption’.

Figure 1 – Microsoft Excel spreadsheet lure

As is common with lures of this nature, this social engineering attempt serves only to trick a victim into allowing a malicious macro to execute and, in this case, download the main Trickbot payload.

Notably, victims opening this file on a mobile device, or using Microsoft Office’s online viewer, are encouraged to open it on their desktop PC due to the macro not executing in these environments.

Macro Downloader

Using a somewhat straight-forward macro, the URLDownloadToFile function is used to download the Trickbot payload (Figure 2) from a specified URL.

Figure 2 – Macro downloader

Presumably to avoid casual inspection and detection, the strings for both the download URL and filename are referenced on a hidden sheet named ‘Files’ that in turn compiles them from multiple cells on a hidden sheet named ‘fol’ (Figure 3).

Figure 3 – Obfuscated strings from hidden sheets

In this instance, the requested URL ends with the ‘png’ image file extension, likely a low-sophistication attempt to appear benign to countermeasures that don’t inspect file content (Figure 4), and the Trickbot payload is saved to a folder that mimics ‘Intel Corporation’: C:\IntelCompany\JIOLAS.RRTTOOKK.

Figure 4 – HTTP GET request for a ‘png’ with executable content

Installation

Having downloaded the Trickbot executable payload, ‘rundll32’ is executed to load the malicious dynamic-link library (DLL) using the DllRegisterServer entry point:

rundll32 C:\IntelCompany\JIOLAS.RRTTOOKK,DllRegisterServer

The absence of an entry point, such as if executed in an automated analysis environment, would likely result in some benign execution and therefore cause the threat to be ignored.

Having successfully loaded, Trickbot then performs DLL injection into the legitimate Windows Error Reporting executable wermgr.exe (Figure 5) before terminating the previous process.

Figure 5 – Trickbot execution chain

Command & Control

Once executed Trickbot will attempt to call home to its command and control (C2) infrastructure in order to download additional modules and act on the threat actor’s objectives.

With multiple C2 server IP addresses being observed in memory, Trickbot seemingly attempts to request content from multiple servers (Figure 6), potentially for resilience.

Figure 6 – C2 Communication

Notably, in addition to the commonly utilized ports 443, 449 and 499, numerous C2 IP addresses were also observed with less common port numbers.

Analysis of GET requests sent to Trickbot C2 infrastructure can lead to the identification of various commands based on the use of a common structure:

/<GTAG>/<CLIENT_ID>/<COMMAND>/<PARAMETERS>

• <GTAG>: Also referred to as the botnet ID, this identifier is used within configuration files as well as C2 traffic and relates to a specific campaign;
• <CLIENT_ID>: Composed of victim username, Windows version and a seemingly random hexadecimal string for uniqueness;
• <COMMAND>: Such as the following observed commands in conjunction with appropriate <PARAMETERS>:
  • 0: Initial call home with details of the victim operating system and IP address;
  • 1: Keep alive;
  • 5: Download a specified module;
  • 10: Logging;
  • 14: Sends victim device information including username and network status;
  • 23: Sends the current version to obtain the latest configuration;
  • 25: Requests the latest Trickbot executable binary;

Furthermore, specific modules utilize the same C2 communication method and therefore other command values may indicate module status updates and data exfiltration.

In a somewhat unusual observation, communications with C2 servers have been observed as utilizing a user-agent string typically associated with the command line ‘curl’ utility. As such, unexpected communications featuring the user-agent curl/7.71.0 may be indicative of potential Trickbot activity.

Recommendations

• Employee security awareness training, taking into account topical themes used by threat actors, can help them identify and handle suspicious content such as email attachments.
• Reinforce the message that files encouraging users to ‘Enable Editing’, ‘Enable Content’ or disable any other security setting are almost certainly malicious.
• Use Group Policy to disable macros from running in Microsoft Office applications (legitimate macros should be digitally signed to allow for an exception to the disable rule).
• Disable administrative tools and script interpreters, such as PowerShell, to prevent their misuse by malicious payloads.
• Limit user permissions according to the principal of least privilege (POLP).
• Enhance network security by employing latest intrusion detection and prevention systems (IDS/IPS), including the denial of access to known malicious domains, hosts and IP addresses.

Indicators of Compromise

The following indicators of compromise (IOC) are associated with a recent Trickbot campaigns observed during December 2020.

Files (SHA256)

Microsoft Excel Lure

• 3db6dab9551aafabf4724c864cda28bc061b250cce2bd834f48040574bc07cb9
• 62d8cab8ec8b81bf3bd5a75ceca7b12bb2b26f4a40ded2320fdcfd33a49349d7
  • Document931215825.xls
• 829419a788104ec45e82487738be2779a83cac1b65bfc9343e351e75cfa49f5e
  • Document931215825.xls
• f669b9a3d89a8061089d819d5e4469389656d0ae39188c147592d2e165267b41
  • Document-63665398-12152020.xls

Trickbot Payload

• c91623796d2ebc3fc11faf8f9578b56fd4f61a06dec26f5648b9372ae30240da
  • C:\IntelCompany\JIOLAS.RRTTOOKK
  • apperol.png
  • oosnhsyysjmns.png
• da1ae69acf1b97bfac587addc9266155342bf8f2a7a80e0d09df9a577c39f7f9
  • C:\IntelCompany\JIOLAS.RRTTOOKK
  • diego.png

Payload

• hxxp://cahrhomeopathy.com/diego.png
• hxxp://starkdoor.com/apperol.png
• hxxp://www.webdispo.com/oosnhsyysjmns.png

Command & Control

Notably, communications with the following command and control (C2) IP addresses were observed as using the user-agent string curl/7.71.0.

• 5.34.180.168:443
• 34.116.68.148:12711
• 41.243.29.182:449
• 45.12.110.206:443
• 52.88.83.54:2726
• 62.116.88.136:11687
• 80.242.220.146:449
• 94.158.245.90:443
• 102.164.208.44:449
• 102.164.208.48:449
• 103.110.53.174:449
• 103.112.145.58:449
• 103.126.185.7:449
• 103.137.81.206:449
• 103.150.68.124:449
• 103.250.70.163:443
• 103.61.100.131:449
• 103.61.101.11:449
• 103.65.195.95:449
• 103.65.196.44:449
• 103.87.25.220:443
• 103.87.25.220:449
• 103.98.129.222:449
• 113.216.22.71:53158
• 118.69.133.4:443
• 141.136.0.42:443
• 146.91.245.192:44966
• 156.96.47.3:443
• 167.199.192.121:1702
• 177.221.108.198:449
• 178.134.55.190:449
• 184.95.51.178:443
• 186.130.221.30:24230
• 188.225.219.74:15270
• 189.89.218.190:33446
• 192.119.171.230:443
• 192.3.247.125:443
• 192.3.73.165:443
• 194.5.249.71:443
• 195.123.242.202:443
• 195.123.242.207:443
• 196.45.140.146:449
• 201.210.174.234:32166

MITRE ATT&CK