#trickbot

In this post we’re going to take a closer look on the malware TrickBot and its devious abilities. No prior computer science education is needed, I will try to keep this as easily understandable for everyone as possible, but if you have any questions - don’t hesitate to ask and I’ll do my best to answer. :)

The purpose of this post is to bring a basic understanding of how TrickBot works and operates. Hopefully it will bring an idea of how malware like this looks like and where it comes from, especially if you have no previous experience with it - this post is intended for you!

Introduction

TrickBot is a relatively new banking trojan that emerged in mid-2016. Its main purpose, like other banking trojans, is stealing money from your bank account or other financial institutions, as well as harvesting personal information to sell on the black market. All from your own computer. What really sets it apart from the others is its international scope: Banking trojans usually target one or a few countries and their banks. This is because it requires a lot of work to maintain a functional bank account robbing program that can operate on multiple banks, as we’ll see later in this post. TrickBot, however, is able to steal from over 25 countries across Europe, North America and Australia and is likely to expand even further with time.

It is likely to have originated from the previously successful but now defunct banking trojan Dyreza, as it shares a lot of similarities in the code. This indicates the authors behind it have a lot of experience as well as resources to keep up such an advanced piece of malware that is also so good at evading being caught by antivirus software. It is currently only able to infect Windows computers, so if you run GNU/Linux or Mac, you should be safe (at least for now!).

So let’s dissect TrickBot and see what makes it so nasty.

Delivery

Like most other malware, TrickBot employs a variety of methods to infect your computer, such as exploit kits and botnets. I have already written about those topics in previous posts, so I’ll link to them here to avoid repeating myself:

About exploits and vulnerabilities

About botnets

But the current main type of propagation is through infected Word and Excel documents delivered in emails. Typically, the emails are made to look like genuine messages from your bank or other corporations, with attached documents that are enticing to open, such as invoices, pay slips or something that calls to action. These documents contain a piece of code called a macro, which in itself isn’t malicious, but it contains instructions for the computer to go to specified addresses to download the actual TrickBot. This is one of the many strategies that prevents antivirus software from detecting TrickBot in an infected document.

To analyze a bit deeper, here’s the chain of events that occurs when the document is allowed to run the macro:

First, a randomly named .bat-file (for example vahjgkd.bat) is created in a folder for storing temporary files: AppData/Local/Temp. A .bat-file is a simple list of commands for the computers command interpreter, giving it instructions that doesn’t need human interaction, so you won’t notice what’s happening. These instructions tell the computer to go to a specific site and download a malicious file that is disguised as a harmless image file; logo.png. The .bat-file is randomly named to yet again avoid antivirus detection - it is more difficult to prevent something if you don’t know what it’s called.

The fake logo.png file is actually another randomly named file, this time an executable. Once downloaded and run, it will create new a new folder usually under AppData/Roaming/services or AppData/Roaming/winapp or similar, it varies a bit depending on the version of TrickBot. Additionally, it spawns a second randomly named .exe-file - This is the actual TrickBot - and saves it under the newly created folder. As a final task, the first .exe-file orders Windows to create a Scheduled Task of TrickBot. This will make Windows start up the TrickBot malware every time the computer is restarted or it’s somehow otherwise interrupted from running, making sure that it is always running no matter what you do. After all this work is done, the first .exe-file simply deletes itself.

Now it is time for the actual TrickBot to get to work! First, it will need to download its modules, which works kind of like Lego bricks. Each brick/module offers a different functionality, and can be built together to form a highly customizable and adaptable construct. These modules can be downloaded from addresses that are coded into TrickBot and are all saved in the newly created folder. I will write more in detail about these modules later on.

Now TrickBot has successfully infected the system! Let’s look at what it does from here:

The Trick

After infecting a system, TrickBot will hook itself to the browser(s) - Firefox, Chrome, Internet Explorer or Edge. Meaning, it will carefully monitor everything you do in your browser, while being disguised as a legitimate Windows process called svchost. It will not do anything else until you go to one of the sites TrickBot is looking out for - banks or other sensitive information services. Then it will trigger its browser injection and redirection attack:

Whenever you have typed in the address to your bank, TrickBot will immediately take you to another site operated by the criminals behind it. That fake bank site will look identical to the real deal, and to make it worse, TrickBot has another trick up its sleeve: While you are redirected to the fake site, TrickBot also maintains a connection to the real bank in the background. From there, it fetches the original address and displays it in the browser, so you can not see in the address bar that you are in the wrong place. To make it even worse, it also fetches the banks genuine digital certificate - which is used to identify and verify that the site does indeed belong to whoever claims to - and injects it along the fake bank site. It is more or less impossible to tell apart from the real deal.

This of course requires the authors behind TrickBot to be able to replicate each individual bank from all over the world, including correct language and graphics, as well as keeping it updated with changes. This is why I mentioned that it’s what makes TrickBot so special; the team behind it has the enormous resources required to do so.

Once on the fake site, you will as expected be prompted with your login information. This will be harvested and TrickBot will establish a connection to its Command and Control (C&C) server. This is a remote location where it receives further instructions from the criminals, as well as drop off the harvested data and other information.

This type of redirection attacks first surfaced in 2014 with TrickBots predecessor Dyreza.

Alternatively, depending on how the bank is set up, TrickBot may also use a similar type of injection attack that I have previously written about in this post.

Anatomy

Now let’s take a look at the structure of this particular malware. Here are its currently (as of November 2017) most important files and modules, all located in the folder created when TrickBot was delivered to the system:

- config.conf

This file contains the configurations for the communication with the C&C server, such as the information of where to go to download additional modules, dropping off collected data and settings for other modules.

- systeminfo

This is an system information gatherer. It will find out which usernames there are on the machine, which programs are installed, how much memory is available, which processor the computer has, and more.

- client_id and group_tag

Two other files that contains information. Client_id gathers which version of Windows you’re running, an unique identifying number for this particular infection as well as the name of your computer, while group_tag contains information regarding the version of TrickBot. Together, these two form a sort of ID of the computer that is used in the communications to and from the C&C server. A (somewhat simplified, for readability's sake) example of the content of these two files could be:

client_id: unichromescomputer_windows10.E4578F293

So first we have the name of the computer, an underscore followed by the operative system version, then a period followed by a random string of letters and numbers which are unique for each infection.

group_tag: tmt2

Just a single note regarding the internal information of TrickBot.

Let’s take a look at how a command sent by TrickBot to its C&C server can look like. Each command is represented by a number, for example number 5 means “Download this specified module to me please”, and is formatted like this:

[IP to C&C server]/[group_tag]/[client_id]/[command number]/[module requested]

So if TrickBot wants to download systeminfo to my computer, it would look like this:

https://193.9.28.24/tmt2/unichromescomputer_windows10.E4578F293/5/systeminfo

- importDll

This module is designed to steal information from your browser. Cookies, browser history, shared items, local storage, and more. Everything it can get its grabby hands on.

- injectDll

This one is responsible for the browser hijacking and the fraudulent bank sites I’ve talked about previously. To perform its duties, it employs the help of another configuration file, injectDll_configs, which in turn contains the following:

dinj: This is a list of all the banks and other sites that TrickBot targets, so it refers to this every time you go somewhere in your browser. If it’s on the dinj-list, you will be subjected to the second type of attack I wrote about earlier in the post.

sinj: Also a list of targets that works just like dinj, but instead of being subjected to the second type of attack, you will be redirected to the fake variant of the site.

dpost: Simply contains the IP address to where the stolen banking data is being exfiltrated to.

- outlookDll

This module is primarily targeted at corporate computers. It goes for the email credentials saved in Microsoft Outlook, such as emails, usernames, passwords, servers and ports. It finds this information stored in the computers registry, which is kind of like a library with settings and configurations for the system and programs. All the data gathered is sent off to an IP stored in the file mailsearcher_configs.

- shareDll and wormDll

Lastly, we have one of the more recent abilities of TrickBot, discovered in July 2017, but not fully functional until around September: Lateral movement. This means the ability to travel across a network and (without the interaction of any human) infect new computers. To achieve this, it uses the infamous exploit eternalblue, which was used in the reported ransomware epidemics of WannaCry and Petya/notPetya earlier this year. It lead to many corporations, organizations and other places such as hospitals or airports having all of their computers infected, just from a single computer on their network. It simply means that you can become infected without noticing it, just for being on the same network as a computer that opened a malicious document or encountered an exploit kit delivering TrickBot.

Een primeur! De Europese Unie heeft – voor het eerst – sancties opgelegd aan zes Russische cybercrimeverdachten. De zes waren mogelijk betrokken bij ontwikkeling en verspreiding van ransomwareaanvallen met de Trickbot-malware. Ze mogen nu niet meer naar de EU reizen en hun tegoeden in de EU zijn bevroren. Burgers en bedrijven mogen geen zaken meer met de zes doen. Het cybersanctieregime werd in…

Trickbot Malware is back with a new VNC module to spy on its victims

Cybersecurity researchers have opened the lid to the ongoing resurgence of the malicious malware Trickbot and made clear that a Russia-based transnational cybercrime group is working behind the scenes to improve its offensive infrastructure in response to recent law enforcement opposition.

BitDefender said in a technical statement that the newly discovered capability [command-and-control] about victims will be used to monitor victims by using secret communication protocols to hide data transmission between servers and victims. Information has been collected.

The researchers added, “Trickbot shows no indications of stopping down.” Botnets are created when hundreds or thousands of hacked devices connect to networks operated by criminal operators. Which are then widely used to launch network denial attacks to kill critical businesses and infrastructure with fake traffic to take them offline. However, with control over these devices, malicious participants can also use botnets to spread malware and spam. And maybe to spread file-encrypting ransomware on infected computers too.

Trickbots are no different. The notorious cyber-crime gang behind the operation was called the Wizard Spiders. These spiders have experience running infected machines to steal sensitive information, spin sideways on networks. And even load other malware like ransomware, adding new functionality, to increase effectiveness.

Attack Overview

-photo by @AnonTheSecret via Facebook

“TrickBot has evolved to take the sophisticated infrastructure that compromises third-party servers and use it to host malware”. Lumens Black Lotus Labs announced last October. “It infects consumer equipment like as DSL routers, and its criminal operators change their IP addresses and infected hosts on a regular basis to make stopping their operations as difficult as possible.”

The botnet has survived two download attempts by Microsoft and US Cyber command. With operators developing a firmware manipulation component that allows hackers to load backdoors into a single expandable firmware interface (UEFI) for antivirus detection. And Software – Avoid updates or even complete uninstall and install reset computer operating system. Bitdefender has now determined that threat actors are actively developing an updated version of a module called “vncDll” since it uses against high-profile targets selected for monitoring and intelligence gathering. The new version has called “tvncDll”.

The new module has designed to communicate with one of the nine management and control (C2) servers. Moreover, the servers specified in its configuration file to obtain a series of attack commands, download more malware. And also recover the data collected by the machine to obtain the computer server. The researchers also said they had identified a “filtering tool” that attackers used to interact with victims via C2 servers.

While efforts to lubricate the gang’s operations may not be entirely successful. Moreover, Microsoft told The Daily Beast that they have been working with Internet Service Providers (ISPs). They are working to replace door-to-door routers used by the malicious Trickbot Software to have been compromising in Brazil and Latin America. And that effectively shut down the Trickbot infrastructure in Afghanistan.