Rewterz Informative Update – Trickbot Malware-As-A-Service – Innovation for Destruction

Severity

High

Analysis Summary

Although Trickbot was first identified in late 2016, it quickly transformed into a Malware-as-a-service (MaaS) from being a well-established banking trojan. The malware is used by ideologically and financially motivated threat actors and cybercriminals alike.

The trickbot phishing campaigns differ from victim to victim as they encompass personal and financial data, and also deploy ransomware threats like “Ryuk” and “Conti.” Trickbot payload distribution may also be reminiscent of “Emotet” and “BazarLoader.”

Malware distribution and phishing go hand-in-hand, and the same can be seen for Trickbot. Common themes, for instance, business-related notifications or invoices are used to lure the victims into downloading weaponized Microsoft Office attachments.

The targets vary from country to country and range from the financial sector to the healthcare sector. Operations led by Microsoft’s Digital Crimes Unit (DCU) have also been conducted against the group in October of 2020. The assumption was that the group would be eliminated, and although the attempt eliminated 94% of trickbot’s infrastructure, the group has regained its standing by adding new servers.

The capabilities of Trickbot are diverse and multitudinous; Ranging from Data theft to lateral movement, to persistence, to reconnaissance, and also remote access. The modules include:

Data Theft:  

• aDll: Steals the Active Directory (AD) database;
• cookiesDll: Steals cookie data from web browsers;
• domainDll: Steals credentials and data from Domain Controllers via LDAP;
• injectDll & loaderDll: Injects credential-stealing elements into web browsers viewing banking websites;
• MailClient: Steals data from local and webmail clients for use in other malspam campaigns;
• mailsearcher: Searches for files of a specific type;
• outlookDll: Steals credentials from Microsoft Outlook;
• pwgrab: Steals stored passwords from web browsers;
• squlDll: Gathers email addresses from SQL servers and utilizes ‘Mimikatz’ to scrape credentials from memory;
• shadnewDll: Custom proxy module from ‘IcedID’ to intercept and modify web traffic used for web-injects on banking websites;

Lateral Movement:  

• mshareDll, shareDll & tshareDll: Allows lateral movement and enumeration through Server Message Block (SMB) shares;
• mwormDll, nwormDll, wormDll & wormwinDll: Lateral movement via SMB using the ‘EternalBlue’ exploit;
• tabDll: Allows propagation via SMB by exploiting vulnerabilities including ‘EternalRomance’ and those covered by Microsoft Security Bulletin ‘MS17-010.’

Persistence:  

• PermaDll: Reportedly used to gain low-level persistence through a compromised host’s BIOS or UEFI as well as potentially providing remote ‘bricking’ capabilities by erasing or overwriting the firmware;

Reconnaissance:  

• importDll & moduleDll: Gathers data from web browsers including browsing history and cookies;
• networkDll: Gathers system and network topology information;
• psfin: Determines if any Point-of-Sale (POS) software is present;
• Systeminfo: Gathers system information from the compromised host;

Remote Access:  

• BCClientDll & NewBCtestDll: Reverse SOCKS5 proxy;
• hvnc & vncDll: Provides remote control through the Virtual Network Computing (VNC) protocol;
• mexecDll: Provides the ability to download and execute additional payloads;
• rdpScanDll: Attempts to brute force access to Remote Desktop Protocol (RDP) services;
• vpnDll: Creates a VPN proxy.

Recent Campaigns include:

Initial Lure:

Phishing emails disguising malware inside Microsoft Excel spreadsheets were noted in the mid of December 2020. The emails lure victims by masquerading as legitimate business communications. A victim (Figure 1) receives an email that the sent spreadsheet has been encrypted by ‘DocuSign’ and can be decrypted by clicking ‘Enable Editing’ and ‘Enable Content.’ The purpose of the email is to lure the victim into the opening and downloading the main Trickbot payload.

Macro Downloader:

The macro “URLDownloadToFile” is used in this campaign to download the Trickbot payload from a specified URL (Figure 2).

Installation:

The malicious dynamic-link library (DLL) is loaded by executing the already downloaded Trickbot executable payload, ‘rundll32.’ The entry point used is DllRegisterServer: rundll32 C:\\IntelCompany\\JIOLAS.RRTTOOKK,DllRegisterServer. 

The absence of an entry point, for instance, if executed in an automated analysis environment, results in some benign execution and therefore causes the threat to be ignored.

Trickbot, Having been successfully loaded, then performs DLL injection into the legitimate Windows Error Reporting executable wermgr.exe before terminating the previous process (Figure 3).

Command and control:

The C2 infrastructure (command and control) is called upon by Trickbot once it is executed. The C2 infrastructure is called to download additional modules and act on the threat actor’s objectives. 

Trickbot attempts to request consent from several servers as multiple C2 server IP addresses are being observed in memory, potentially done to improve resilience. Notably, in addition to the commonly utilized ports 443, 449, and 499, numerous other IP addresses were also observed with other common ports. /<GTAG>/<CLIENT_ID>/<COMMAND>/<PARAMETERS>

• <GTAG>: Also referred to as the botnet ID, this identifier is used within configuration files as well as C2 traffic and relates to a specific campaign;
• <CLIENT_ID>: Composed of victim username, Windows version, and a seemingly random hexadecimal string for uniqueness;
• <COMMAND>: Such as the following observed commands in conjunction with appropriate <PARAMETERS>:
  • 0: Initial call home with details of the victim operating system and IP address;
  • 1: Keep alive;
  • 5: Download a specified module;
  • 10: Logging;
  • 14: Sends victim device information including username and network status;
  • 23: Sends the current version to obtain the latest configuration;
  • 25: Requests the latest Trickbot executable binary;

Impact

• Trickbot is widely used for financial and ideological gains, and this leads to financial loss for the victim.
• Credential theft is a major impact of Trickbot.
• Phishing also leads to information disclosure and exposure of sensitive data.

Remediation

Phishing is a two-way indirect attack that requires actions from the victim to take full effect. This means that practicing healthy online habits can help mitigate these threats. The following remediations and mitigation techniques help secure systems from Trickbot:

• Employee security awareness training help spread awareness about cybersecurity threats.
• Improve workplace culture on cybersecurity by engaging in conversations or giving seminars on cyberthreats.
• Files encouraging users to ‘Enable Editing’ or ‘Enable Content’ should be handled with added vigilance.
• Employing control systems like IDS/IPS (intrusion detection and prevention systems), and limiting permission is also an important step.