Threat Spotlight: TrickBot Infostealer Malware

TrickBot is an info-stealing malware bot that has been in the wild since 2016. The predecessor of Dyre, the bot is normally deployed using malicious spam and advertising techniques. The malware is dropped by a user clicking on malicious emails or being redirected to an illegitimate website.

These malicious emails tend to come in the form of fake banking notifications purporting to be from popular online hosting and payment services, tricking the user into clicking on them.

Typically, a document requests the unsuspecting user to enable editing of the document. Once this is done the macro uses a small .bat script which then utilizes PowerShell.exe to download the malware. The malware can also spread to devices on local networks due to its laterally moving worm module.

Once downloaded, the malware tries to connect to its command and control (C2) infrastructure, and on making successful connection with its servers it begins to pull numerous files. These DLL files each have unique features to increase the amount of confidential and private information the malware can steal. The malware also has a few reconnaissance DLL files to gain an insight into the infected victim's device and network. To increase the spread of the attack across the network, the malware has two separate worm modules which spread laterally to increase further damage across the local network.

Due to the malware's modular approach, removal and detection on systems can be difficult. If one of its components is forcefully removed the malware will simply pull another instance of the component from its infrastructure due to its persistence techniques. It can also download updated versions of its DLLs as well as new modules. In the last three years this has been the case as the malware first seen in the wild has now dropped many new variations of itself and many new DLL modules to increase is capabilities.

The malware’s main function is to use man-in-the-middle (MITM) attacks on users visiting banking websites to falsify the appearance of these sites using web-injects. This in turn leads to its victims inputting sensitive details into these phony banking sites, leading to their accounts being compromised.

In 2017, the malware started to target European banks from nations like the United Kingdom and France. The bot continues to be developed to become more effective over time:

Figure 1: Various capabilities of botnets

Malware Botnets

Botnets can come in various sizes and with various capabilities. Botnets can be used by malware authors to bring down websites using distributed denial of service (DDoS) attacks. Others use compromised devices to spread spam and increase the size of their botnets. Many botnets are used as malware droppers, and once a system is compromised the bot can drop future unwanted files and even other malware. Another common botnet function is to deploy phishing campaigns.

For TrickBot, the prime objective is information stealing and the obtaining of private and sensitive information, such as financial login information. With this information in hand, the malware authors can make a multitude of malicious actions. TrickBot’s multiple modules all have individual roles and are designed to obtain as many credentials and as much private information as possible.

File Information           

SHA256

806bc3a91b86dbc5c367ecc259136f77482266d9fedca009e4e78f7465058d16

 

Type

Malware Bot

Size

506 KB (519149 bytes)

Timestamp

2018-09-25 10:47:59

ITW names

TrickBot, Trickster, TrickLoader


Technical Analysis

Static Analysis

Due to the complexity of the main malware file, the threat-actors have created their own custom packer in an attempt to make analyzing the file difficult from a static analysis perspective. The various DLLs the malware drops tend to be easier to analyze via static analysis, with many key components being clearly visible.

In older versions of the malware most of its components are encrypted using AES, but recent versions have been noted to be also using XOR encoding on top of the AES encrypted data.

Dynamic Execution Process Flow

  • Infection happens through weaponized Word and Excel documents from banks/services with embed macros
  • Macro drops .bat file that downloads the malware
  • Malware is downloaded into the %APPDATA% \Roaming folder and executed
  • Uses process hollowing to insert itself into svchost.exe
  • Deletes many different antivirus (AV) software from system
  • Creates scheduled tasks on the system for persistence
  • Tests Internet connectivity
  • Uses Transport Layer Security (TLS) to encrypt communications
  • Once successful it connects to its C2 servers
  • The malware then pulls its various modules and updates
  • Modules collect information off the system and browsing credentials, mostly focusing on online banking
  • Malware attempts to spread across network to acquire further bots/victims using its various its worm modules

Once the main file is running the malware performs several malicious activities before attempting to achieve its goals. The malware first checks for a debugger and numerous AV solutions, including Microsoft’s own built-in malware protection software:

Figure 2: The initial bot file disables and deletes Windows Defender

If any AV services are running, the malware will attempt to stop, disable and eventually delete them to avoid detection. The malware will then copy itself into: %APPDATA%\Roaming\ {Folder Name}. Once this is complete it will use process hollowing techniques to insert itself into an svchost.exe instance and acquire basic system information for reconnaissance. Finally, the malware attempts to connect to its numerous C2 infrastructure. Upon successful connection it will drop the malwares initial modules systeminfo.dll and injectdll.dll.

Since the release of the malware its suite of tools has increased, with the malware now having a large set of modules that attempt further reconnaissance, steal valuable information, and spread further on throughout a user's network. Certain modules download configurations which are stored within their own dedicated folders.

Persistence

The malware will attempt to create a scheduled task that runs the main bot file located in the %APPDATE%\Roaming\ {Folder Name} every 10 minutes as a persistence technique in order to make sure all its downloaded modules are running on a system.

Modules

The architecture of the system the malware is attempting to exfiltrate from will depend on which modules it will drop. If a system is 32-bit, the modules downloaded will be named and designed accordingly to the correct architecture of the system:

Example: WormDll32.dll
                   WormDll64.dll
                   A5fda73fd93c5eea9184f51dde4227f3a223b996741f43662b3132bf6a7eec3c – 32bit Modules Zip
                   728445bcffa48f874d0e0b2932e5c08cab5cdf9e4453193ac3dcf1ba955d77d7 – 64bit Modules Zip

Figure 3: Trickbot after downloading all its various modules

Currently, the malware can drop nine different modules. Each of these are unique and designed to perform various tasks to achieve the malware’s overall goal of info-stealing. The malware takes this modular approach to avoid detection and makes updating and upgrading the malware much easier for the threat actors.

For each component of TrickBot running a corresponding instance of svchost.exe is needed to run due to the malware use of process hollowing to avoid giving the user any indication on its true intent. Even though the malware has been in the wild for over three years, its creators have been constantly developing and advancing the malware making it more damaging to its victims, thus this list of malicious modules continues to grow into the future.

SystemInfo

This is one of the first modules the malware ever dropped dating back to being in the wild since 2016. The main purpose of this .DLL file is reconnaissance of an infected host once it becomes part of the botnet. This .DLL harvests the information about the system and sends it back to attackers so they can get an insight into their new victim machine.

The .DLL uses its various techniques to pull as much information from the system as possible. This includes its Operating System (OS) version and info, its CPU and error logs:

Figure 4: SystemInfo obtaining system startup information

Figure 5: SystemInfo obtain other information on systems OS

 InjectDLL

This is the main file of the bot as this module stores various malicious scripts and is responsible for the malware use of web-injects. This module contains as script with over 500 banking sites from across the world. When an infected bot has its user access one of these sites that the malware is designed to exploit these web-injects are utilized.

This DLL injects these webpages with extra fields in order to look legit. The victim would then have his/her credentials stolen by this DLL by inserting their confidential information into these injects.

Through static analysis of many hardcoded strings the DLL file references a lot of countries domain names and various browsers like Chrome and Firefox in which it aims to exfiltrate data from:

Figure 6: InjectDLL attempting to copy Chrome information

This module contains a separate folder for its web-injects labeled injectDll32configs. Within this folder we find two encrypted files called sinj (Static Injects) and dinj (Dynamic Injects). Once unencrypted, these files contain hundreds of references to various global banking websites:

Format:

<sinj> <mm>https://www.bankExample.com*</mm>
<sm>https://www.bankExample/login/logon.do*</sm> <nh>cbsapjarxqombyuewvgkhsdlznit[dot]net</nh> <url404></url404> <srv>31.131.27[dot]144:443</srv> </sinj>

MailSearcher

This DLL is used for reconnaissance of the system further with the DLL possessing functions to search through the infected hosts file system. The DLL has several hardcoded file extensions it looks for. Once the system has been swept by the DLL it reports back to its C2 architecture:

Figure 7: MailSearcher searching the victim device for numerous file extensions

WormDLL and ShareDLL

These modules where dropped in mid-2017 and used for propagation of the malware. These DLLs give the malware the features to self-replicate and spread across the network using the Server Message Block (SMB) vulnerability (MS17-010) in Microsoft Windows, and spreads across networks using Lightweight Directory Access Protocol (LDAP) queries.

This worm module is used to spread the malware further across the infected hosts local network to increase the botnets numbers the malware can obtain. Though not as lethal as the WannaCry ransomware that hit globally in 2017, it uses the same exploits and code to attempt to spread:

Figure 8: Various strings found in Worm module

Figure 9: Module makes numerous references to the Server Message Block

Figure 10: PowerShell command downloading worm

ImportDLL

The main purpose of this module is to steal valuable cookies, HTML5 local storage, browser history and URL hits. First seen in the wild early 2017, this module attempts to steal as much data as it can from as many websites as it can. The module also can create a hidden virtual instance of the victim's desktop for further capabilities. The list of URLs hardcoded in this DLL tend to be shopping websites located all over the world to login websites for various attractions such as museums:

Figure 11: Various URLs of hundreds of websites are hardcoded

TabDLL

This module which has been in the wild since 2018 has been utilizing Mimikatz to attempt to steal WDigest credentials. This module bypasses Microsoft's protection of these credentials by enabling \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\.

When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft by the malware. WDigest is disabled by default in Windows 10 but the malware enables this.

The module then has a lock screen component that is then utilized when the malware logs the user out of his/her device. Once the user re-logs into their accounts, WDigest Support is now enabled thus letting the malware steal such credentials.

Another factor for this module is its use of the NSA exploit EternalRomance to spread independently of its Worm module. This gives the malware a second form of lateral movement and is designed to spread the malware even further.

NetworkDLL

This is a reconnaissance DLL that has dropped in 2018 for the malware. It attempts to gather further system information and attempts to get information on the network the system is on. This DLL queries the system the malware is on to see if it can pull:

  • CSName
  • Service Pack version
  • OS Architecture
  • Boot Device
  • Organization

….to just name a few. The DLL uses basic Windows native shell command like “ipconfig /all“ to acquire all adapter TCP configurations as well as “net view all” to sniff out any network shares the device is possibly attached to.

PWGrab32

This DLL is another password stealing component dropped by the malware in late 2018. This DLL sniffs the system for various browsers and attempt to steal any login information stored by them.

Website host|Login ID|Login password

The component also has the ability to steal client credentials of Outlook and FileZilla. Once a user's info is harvested by the DLL, the malware will receive a command from its C2 servers to pull such information.

BlackBerry Cylance Stops TrickBot

BlackBerry® Cylance® uses artificial intelligence (AI) agents trained for threat detection on millions of both safe and unsafe files. This allows CylancePROTECT® to spot a threat based on countless file attributes instead of a specific file signature to block TrickBot.

CylancePROTECT, which offers a predictive advantage over zero-day threats, is trained on and effective against legacy malware like TrickBot.

Indicators of Compromise (IOCs)

Malware Partnerships

In 2018-2019, the authors of Trickbot have been extremely busy in attempting to spread their malware with droppers. Emotet has been seen dropping Trickbot as well as IcedID, another infostealer, which have been seen both dropping each other. We will reveal more about this behavior in Part 2 of this writeup.

C2 Infrastructure

Once the malware gets secure Internet access the file Config.conf is dropped. This file is encrypted by AES but contains the details of the malware’s C2 infrastructure and scale of the operation by the malware authors. In late 2017, a file decoder was made freely available online on GitHub:

https://github.com/hasherezade/malware_analysis/blob/master/trickbot/trick_config_decoder.py

This decoder is a python based scripted that takes the config file that is associated with TrickBot and decodes it for anyone wishing to do so. With this decoder the C2 infrastructure of the malware is revealed.

87.101.70.109:499

31.134.60.181:499

85.28.129.209:449

82.214.141.134:499

31.172.177.90:499

185.55.64.47:49

212.14.51.56:443

212.14.51.43:443

78.140.221.157:443

94.103.82.26:443

194.87.236.113:443

85.143.213.25:443

185.242.179.122:443

31.131.26.122:443

91.235.129.166:443

185.82.218.188:443

94.103.82.169:443