Trickbot Malware Analysis

Introduction

TrickBot is an advanced banking Trojan that was first identified in 2016. Malicious threat actors spread this trojan primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which – if enabled – execute the underlying malware. As per the joint advisory released by The Cybersecurity and Infrastructure Security Agency (CISA) and The Federal Bureau of Investigation (FBI), “TrickBot – first identified in 2016 – is a Trojan developed and operated by a sophisticated group of cybercrime actors. Originally designed as a banking Trojan to steal financial data, TrickBot has evolved into a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct various illegal cyber activities.” In 2021, CISA and FBI observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors luring victims via phishing emails with a traffic infringement phishing scheme to download TrickBot.

Evolution of Trickbot

Trickbot is computer malware, a trojan for the Microsoft Windows and other operating systems that was first reported in October 2016. Since its origin, Trickbot has been in the headlines for performing and contributing to the most notorious cyber attacks across globe.

2016 – Origin of Trickbot
2017 – WannaCry
2018 – Trickbot continued exploiting SMB vulnerability and overtook emotet
2019 – Enhanced capabilities like webinject and attempted to exploit the US-based mobile carriers, Sprint, Verizon Wireless, and T-Mobile
2020 – Trickbot used to distribute Ryuk
2021 – Trickbot used to distribute Conti ransomware

Technical Analysis

Document Analysis using ThreatResponder FORENSICS

NetSecurity has captured a suspicious executable file during one of its investigations. Following are the details of the captured executable file:

Name	Sample2.exe
SHA256	236f4e149402cba69141e6055a113a68f2bd86539365210afb9861f4e2d3ad5f
Type	WIN32 EXE

NetSecurity’s ThreatResponder FORENSICS is a versatile tool for understanding the file attributes in detail. Upon importing the suspicious file in the ThreatResponder FORENSICS tool, we identified several critical findings regarding the executable file.

The ThreatResponder FORENSICS machine learning engine detected the suspicious executable file as malicious.

Upon analyzing further, we captured the randomly encrypted strings, indicating the obfuscation performed by the attackers to hide the actual code.

In addition, we have also identified several strings like SizeofResource, VirtualFree, HeapAlloc, GetCurrentProcess, CreateProcessW, LoadResourceW, etc., which indicate some suspicious behavior.

In addition, upon analyzing the SHA256 in VirusTotal, we found that the suspicious file is indeed malicious and belongs to the TrickBot malware family.

Behavior Analysis using ThreatResponder EDR

When the malicious .exe file is detonated in an isolated machine, the ThreatResponder EDR agent immediately detects the new threat and alerts the user through the Windows notification, as shown below.

The malicious execution alert has been recorded in the EDR console. The alert in ThreatResponder provided a detailed understanding of the chain of events related to the malicious execution.

As you can see in the below screenshot, the alert was triggered with the name sample2.exe (suspicious executable).

Upon analyzing further, it is understood that the malicious executable is spawning svchost.exe and other malicious sample2.exe, as shown in the below figure. In addition, ThreatResponder also provides the details of each process and the executed corresponding commands.

ThreatResponder EDR also enriches the alert by incorporating the Virus Total information regarding the identified threat, which helps analysts get deeper insights into the threat.

ThreatResponder EDR also provides a detailed timeline of the events that triggered the alert. We can understand that the malicious executable has invoked other applications like 72g.exe, chrome.exe, etc., and performing some other activities that include file modification and registry key creation.

Mitre ATT&CK Mapping – TrickBot Malware

Initial Access [TA0001]

Technique Title	ID	Use
Phishing: Spearphishing Attachment	T1566.001	TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware.
Phishing: Spearphishing Link	T1566.002	TrickBot has been delivered via malicious links in phishing emails.

Execution [TA0002]

Technique Title	ID	Use
Scheduled Task/Job: Scheduled Task	T1053.005	TrickBot creates a scheduled task on the system that provides persistence.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.
Command and Scripting Interpreter: JavaScript/JScript	T1059.007	TrickBot victims unknowingly download a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s C2 server to download TrickBot to the victim’s system.
Native API	T1106	TrickBot uses the Windows Application Programming Interface (API) call, CreateProcessW(), to manage execution flow.
User Execution: Malicious Link	T1204.001	TrickBot has sent spearphishing emails in an attempt to lure users to click on a malicious link.
User Execution: Malicious File	T1204.002	TrickBot has attempted to get users to launch malicious documents to deliver its payload.

Persistence [TA0003]

Technique Title	ID	Use
Scheduled Task/Job: Scheduled Task	T1053.005	TrickBot creates a scheduled task on the system that provides persistence.
Create or Modify System Process: Windows Service	T1543.003	TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.

Privilege Escalation [TA0004]

Technique Title	ID	Use
Scheduled Task/Job: Scheduled Task	T1053.005	TrickBot creates a scheduled task on the system that provides persistence.
Process Injection: Process Hollowing	T1055.012	TrickBot injects into the svchost.exe process.
Create or Modify System Process: Windows Service	T1543.003	TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.

Defense Evasion [TA0005]

Technique Title	ID	Use
Obfuscated Files or Information	T1027	TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.
Obfuscated Files or Information: Software Packing	T1027.002	TrickBot leverages a custom packer to obfuscate its functionality.
Masquerading	T1036	The TrickBot downloader has used an icon to appear as a Microsoft Word document.
Process Injection: Process Hollowing	T1055.012	TrickBot injects into the svchost.exe process.
Modify Registry	T1112	TrickBot can modify registry entries.
Deobfuscate/Decode Files or Information	T1140	TrickBot decodes the configuration data and modules.
Subvert Trust Controls: Code Signing	T1553.002	TrickBot has come with a signed downloader component.
Impair Defenses: Disable or Modify Tools	T1562.001	TrickBot can disable Windows Defender.

Credential Access [TA0006]

Technique Title	ID	Use
Input Capture: Credential API Hooking	T1056.004	TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API.
Unsecured Credentials: Credentials in Files	T1552.001	TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the .vnc.lnk affix to steal VNC credentials.
Unsecured Credentials: Credentials in Registry	T1552.002	TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key.
Credentials from Password Stores	T1555	TrickBot can steal passwords from the KeePass open-source password manager.
Credentials from Password Stores: Credentials from Web Browsers	T1555.003	TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.

Discovery [TA0007]

Technique Tactic	ID	Use
System Service Discovery	T1007	TrickBot collects a list of install programs and services on the system’s machine.
System Network Configuration Discovery	T1016	TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.
Remote System Discovery	T1018	TrickBot can enumerate computers and network devices.
System Owner/User Discovery	T1033	TrickBot can identify the user and groups the user belongs to on a compromised host.
Permission Groups Discovery	T1069	TrickBot can identify the groups the user on a compromised host belongs to.
System Information Discovery	T1082	TrickBot gathers the OS version, machine name, CPU type, amount of RAM available from the victim’s machine.
File and Directory Discovery	T1083	TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.
Account Discovery: Local Account	T1087.001	TrickBot collects the users of the system.
Account Discovery: Email Account	T1087.003	TrickBot collects email addresses from Outlook.
Domain Trust Discovery	T1482	TrickBot can gather information about domain trusts by utilizing Nltest.

Lateral Movement [TA0008]

Technique Tactic	ID	Use
Lateral Tool Transfer	T1570	Some TrickBot modules spread the malware laterally across a network by abusing the SMB Protocol.

Collection [TA0009]

Technique Tactic	ID	Use
Data from Local System	T1005	TrickBot collects local files and information from the victim’s local machine.
Input Capture:Credential API Hooking	T1056.004	TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API.
Person in the Browser	T1185	TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified webpage.

Command and Control [TA0011]

Technique Tactic	ID	Use
Fallback Channels	T1008	TrickBot can use secondary command and control (C2) servers for communication after establishing connectivity and relaying victim information to primary C2 servers.
Application Layer Protocol: Web Protocols	T1071.001	TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.
Ingress Tool Transfer	T1105	TrickBot downloads several additional files and saves them to the victim’s machine.
Data Encoding: Standard Encoding	T1132.001	TrickBot can Base64-encode C2 commands.
Non-Standard Port	T1571	Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.
Encrypted Channel: Symmetric Cryptography	T1573.001	TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.

Exfiltration [TA0010]

Technique Tactic	ID	Use
Exfiltration Over C2 Channel	T1041	TrickBot can send information about the compromised host to a hardcoded C2 server.

Impact [TA0040]

Technique Tactic	ID	Use
Resource Hijacking	T1496	TrickBot actors can leverage the resources of co-opted systems for cryptomining to validate transactions of cryptocurrency networks and earn virtual currency.

Table 1: TrickBot ATT&CK techniques for enterprise – CISA

Indicators of Compromise (IoCs)

Signatures

alert tcp any [443,447] -> any any (msg:”TRICKBOT:SSL/TLS Server X.509 Cert Field contains ‘example.com’ (Hex)”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|0b|example.com”; fast_pattern:only; content:”Global Security”; content:”IT Department”; pcre:”/(?:\x09\x00\xc0\xb9\x3b\x93\x72\xa3\xf6\xd2|\x00\xe2\x08\xff\xfb\x7b\x53\x76\x3d)/”; classtype:bad-unknown; metadata:service ssl,service and-ports;)
alert tcp any any -> any $HTTP_PORTS (msg:”TRICKBOT_ANCHOR:HTTP URI GET contains ‘/anchor'”; sid:1; rev:1; flow:established,to_server; content:”/anchor”; http_uri; fast_pattern:only; content:”GET”; nocase; http_method; pcre:”/^\/anchor_?.{3}\/[\w_-]+\.[A-F0-9]+\/?$/U”; classtype:bad-unknown; priority:1; metadata:service http;)
alert tcp any $SSL_PORTS -> any any (msg:”TRICKBOT:SSL/TLS Server X.509 Cert Field contains ‘C=XX, L=Default City, O=Default Company Ltd'”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|31 0b 30 09 06 03 55 04 06 13 02|XX”; nocase; content:”|31 15 30 13 06 03 55 04 07 13 0c|Default City”; nocase; content:”|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd”; nocase; content:!”|31 0c 30 0a 06 03 55 04 03|”; classtype:bad-unknown; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)
alert tcp any any -> any $HTTP_PORTS (msg:”TRICKBOT:HTTP Client Header contains ‘boundary=Arasfjasu7′”; sid:1; rev:1; flow:established,to_server; content:”boundary=Arasfjasu7|0d 0a|”; http_header; content:”name=|22|proclist|22|”; http_header; content:!”Referer”; content:!”Accept”; content:”POST”; http_method; classtype:bad-unknown; metadata:service http;)
alert tcp any any -> any $HTTP_PORTS (msg:”TRICKBOT:HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|WinHTTP loader/1.”; http_header; fast_pattern:only; content:”.png|20|HTTP/1.”; pcre:”/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{2,5})?$/mH”; content:!”Accept”; http_header; content:!”Referer|3a 20|”; http_header; classtype:bad-unknown; metadata:service http;)
alert tcp any $HTTP_PORTS -> any any (msg:”TRICKBOT:HTTP Server Header contains ‘Server|3a 20|Cowboy'”; sid:1; rev:1; flow:established,from_server; content:”200″; http_stat_code; content:”Server|3a 20|Cowboy|0d 0a|”; http_header; fast_pattern; content:”content-length|3a 20|3|0d 0a|”; http_header; file_data; content:”/1/”; depth:3; isdataat:!1,relative; classtype:bad-unknown; metadata:service http;)
alert tcp any any -> any $HTTP_PORTS (msg:”TRICKBOT:HTTP URI POST contains C2 Exfil”; sid:1; rev:1; flow:established,to_server; content:”Content-Type|3a 20|multipart/form-data|3b 20|boundary=——Boundary”; http_header; fast_pattern; content:”User-Agent|3a 20|”; http_header; distance:0; content:”Content-Length|3a 20|”; http_header; distance:0; content:”POST”; http_method; pcre:”/^\/[a-z]{3}\d{3}\/.+?\.[A-F0-9]{32}\/\d{1,3}\//U”; pcre:”/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}$/mH”; content:!”Referer|3a|”; http_header; classtype:bad-unknown; metadata:service http;)
alert tcp any any -> any $HTTP_PORTS (msg:”HTTP URI GET/POST contains ‘/56evcxv’ (Trickbot)”; sid:1; rev:1; flow:established,to_server; content:”/56evcxv”; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)
alert icmp any any -> any any (msg:”TRICKBOT_ICMP_ANCHOR:ICMP traffic conatins ‘hanc'”; sid:1; rev:1; itype:8; content:”hanc”; offset:4; fast_pattern; classtype:bad-unknown;)
alert tcp any any -> any $HTTP_PORTS (msg:”HTTP Client Header contains POST with ‘host|3a 20|*.onion.link’ and ‘data=’ (Trickbot/Princess Ransomeware)”; sid:1; rev:1; flow:established,to_server; content:”POST”; nocase; http_method; content:”host|3a 20|”; http_header; content:”.onion.link”; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:”data=”; distance:0; within:5; classtype:bad-unknown; metadata:service http;)
alert tcp any any -> any $HTTP_PORTS (msg:”HTTP Client Header contains ‘host|3a 20|tpsci.com’ (trickbot)”; sid:1; rev:1; flow:established,to_server; content:”host|3a 20|tpsci.com”; http_header; fast_pattern:only; classtype:bad-unknown; metadata:service http;)

Hashes

7d57b8a21ea34fe0c01e801436f7b6e4
2b3ffb06fa94e535e0b474dc70d1b5e0
42a1b0d6f55b1b7143ab42b057765ba
80c8a7211e93fc8a3a52b103c7b92d60
e05d85acc62b2795bfb94a681e64e20f
7cb195e05a78a39cacb0c0d4d4fa23e4c3366785
8d6ed63f2ffa053a683810f5f96c76813cdca2e188f16d549e002b2f63cee001
236f4e149402cba69141e6055a113a68f2bd86539365210afb9861f4e2d3ad5f
04eadc285ef0342a29997650eb0625eda6710ba6e8bb065b6e5ea5a09bf26db8
b18968f545ec472e621bea49edae6532ba611fe99e4984e02d6d95f80d8e066e
62cf90d565675daf9b9f288e592c5c1331bab3a11f97130f0d7109791f2aab19

IP Address

36.37.176[.]6
74.131[.]16
185.118.167[.]120

Domains

hxxp://myexternalip[.]com/raw
hxxp://api.ipify[.]org/
hxxps://snapfile[.]org/d/c7817a35554e88572b7b
hxxp://canarytokens[.]com/tags/traffic/images/azp6ai8pg5aq0c619ur0qzi6h/post.jsp
hxxp://Watson[.]Microsoft[.]com/StageOne/236f4e149402cba69141e6055a113a68f2bd86539365210afb9861f4e2d3ad5f/0_0_0_0/57b70f98/StackHash_ac38/0_0_0_0/00000000/c0000005/1a010044.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=7UET92WW&MID=54046387-FC68-43CA-9068-077C0A157181

Files

jdmowcibgc.exe
executable.exe
sample2.exe
SHELL32.dll
ntdll.dll
KERNEL32.dll
msvcrt.dll

How to Prevent TrickBot Malware?

Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect and prevent cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).