Trickbot Malware Analysis
Introduction
TrickBot is an advanced banking Trojan that was first identified in 2016. Malicious threat actors spread this trojan primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links, which – if enabled – execute the underlying malware. As per the joint advisory released by The Cybersecurity and Infrastructure Security Agency (CISA) and The Federal Bureau of Investigation (FBI), “TrickBot – first identified in 2016 – is a Trojan developed and operated by a sophisticated group of cybercrime actors. Originally designed as a banking Trojan to steal financial data, TrickBot has evolved into a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct various illegal cyber activities.” In 2021, CISA and FBI observed continued targeting through spearphishing campaigns using TrickBot malware in North America. A sophisticated group of cybercrime actors luring victims via phishing emails with a traffic infringement phishing scheme to download TrickBot.
Evolution of Trickbot
Trickbot is computer malware, a trojan for the Microsoft Windows and other operating systems that was first reported in October 2016. Since its origin, Trickbot has been in the headlines for performing and contributing to the most notorious cyber attacks across globe.
- 2016 – Origin of Trickbot
- 2017 – WannaCry
- 2018 – Trickbot continued exploiting SMB vulnerability and overtook emotet
- 2019 – Enhanced capabilities like webinject and attempted to exploit the US-based mobile carriers, Sprint, Verizon Wireless, and T-Mobile
- 2020 – Trickbot used to distribute Ryuk
- 2021 – Trickbot used to distribute Conti ransomware
Technical Analysis
Document Analysis using ThreatResponder FORENSICS
NetSecurity has captured a suspicious executable file during one of its investigations. Following are the details of the captured executable file:
Name | Sample2.exe |
SHA256 | 236f4e149402cba69141e6055a113a68f2bd86539365210afb9861f4e2d3ad5f |
Type | WIN32 EXE |
NetSecurity’s ThreatResponder FORENSICS is a versatile tool for understanding the file attributes in detail. Upon importing the suspicious file in the ThreatResponder FORENSICS tool, we identified several critical findings regarding the executable file.
The ThreatResponder FORENSICS machine learning engine detected the suspicious executable file as malicious.
Upon analyzing further, we captured the randomly encrypted strings, indicating the obfuscation performed by the attackers to hide the actual code.
In addition, we have also identified several strings like SizeofResource, VirtualFree, HeapAlloc, GetCurrentProcess, CreateProcessW, LoadResourceW, etc., which indicate some suspicious behavior.
In addition, upon analyzing the SHA256 in VirusTotal, we found that the suspicious file is indeed malicious and belongs to the TrickBot malware family.
Behavior Analysis using ThreatResponder EDR
When the malicious .exe file is detonated in an isolated machine, the ThreatResponder EDR agent immediately detects the new threat and alerts the user through the Windows notification, as shown below.
The malicious execution alert has been recorded in the EDR console. The alert in ThreatResponder provided a detailed understanding of the chain of events related to the malicious execution.
As you can see in the below screenshot, the alert was triggered with the name sample2.exe (suspicious executable).
Upon analyzing further, it is understood that the malicious executable is spawning svchost.exe and other malicious sample2.exe, as shown in the below figure. In addition, ThreatResponder also provides the details of each process and the executed corresponding commands.
ThreatResponder EDR also enriches the alert by incorporating the Virus Total information regarding the identified threat, which helps analysts get deeper insights into the threat.
ThreatResponder EDR also provides a detailed timeline of the events that triggered the alert. We can understand that the malicious executable has invoked other applications like 72g.exe, chrome.exe, etc., and performing some other activities that include file modification and registry key creation.
Mitre ATT&CK Mapping – TrickBot Malware
Initial Access [TA0001]
Execution [TA0002]
Persistence [TA0003]
Privilege Escalation [TA0004]
Defense Evasion [TA0005]
Credential Access [TA0006]
Discovery [TA0007]
Lateral Movement [TA0008]
Collection [TA0009]
Command and Control [TA0011]
Exfiltration [TA0010]
Impact [TA0040]
|
Table 1: TrickBot ATT&CK techniques for enterprise – CISA
Indicators of Compromise (IoCs)
Signatures
- alert tcp any [443,447] -> any any (msg:”TRICKBOT:SSL/TLS Server X.509 Cert Field contains ‘example.com’ (Hex)”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|0b|example.com”; fast_pattern:only; content:”Global Security”; content:”IT Department”; pcre:”/(?:\x09\x00\xc0\xb9\x3b\x93\x72\xa3\xf6\xd2|\x00\xe2\x08\xff\xfb\x7b\x53\x76\x3d)/”; classtype:bad-unknown; metadata:service ssl,service and-ports;)
- alert tcp any any -> any $HTTP_PORTS (msg:”TRICKBOT_ANCHOR:HTTP URI GET contains ‘/anchor'”; sid:1; rev:1; flow:established,to_server; content:”/anchor”; http_uri; fast_pattern:only; content:”GET”; nocase; http_method; pcre:”/^\/anchor_?.{3}\/[\w_-]+\.[A-F0-9]+\/?$/U”; classtype:bad-unknown; priority:1; metadata:service http;)
- alert tcp any $SSL_PORTS -> any any (msg:”TRICKBOT:SSL/TLS Server X.509 Cert Field contains ‘C=XX, L=Default City, O=Default Company Ltd'”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|31 0b 30 09 06 03 55 04 06 13 02|XX”; nocase; content:”|31 15 30 13 06 03 55 04 07 13 0c|Default City”; nocase; content:”|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd”; nocase; content:!”|31 0c 30 0a 06 03 55 04 03|”; classtype:bad-unknown; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)
- alert tcp any any -> any $HTTP_PORTS (msg:”TRICKBOT:HTTP Client Header contains ‘boundary=Arasfjasu7′”; sid:1; rev:1; flow:established,to_server; content:”boundary=Arasfjasu7|0d 0a|”; http_header; content:”name=|22|proclist|22|”; http_header; content:!”Referer”; content:!”Accept”; content:”POST”; http_method; classtype:bad-unknown; metadata:service http;)
- alert tcp any any -> any $HTTP_PORTS (msg:”TRICKBOT:HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|WinHTTP loader/1.”; http_header; fast_pattern:only; content:”.png|20|HTTP/1.”; pcre:”/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{2,5})?$/mH”; content:!”Accept”; http_header; content:!”Referer|3a 20|”; http_header; classtype:bad-unknown; metadata:service http;)
- alert tcp any $HTTP_PORTS -> any any (msg:”TRICKBOT:HTTP Server Header contains ‘Server|3a 20|Cowboy'”; sid:1; rev:1; flow:established,from_server; content:”200″; http_stat_code; content:”Server|3a 20|Cowboy|0d 0a|”; http_header; fast_pattern; content:”content-length|3a 20|3|0d 0a|”; http_header; file_data; content:”/1/”; depth:3; isdataat:!1,relative; classtype:bad-unknown; metadata:service http;)
- alert tcp any any -> any $HTTP_PORTS (msg:”TRICKBOT:HTTP URI POST contains C2 Exfil”; sid:1; rev:1; flow:established,to_server; content:”Content-Type|3a 20|multipart/form-data|3b 20|boundary=——Boundary”; http_header; fast_pattern; content:”User-Agent|3a 20|”; http_header; distance:0; content:”Content-Length|3a 20|”; http_header; distance:0; content:”POST”; http_method; pcre:”/^\/[a-z]{3}\d{3}\/.+?\.[A-F0-9]{32}\/\d{1,3}\//U”; pcre:”/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}$/mH”; content:!”Referer|3a|”; http_header; classtype:bad-unknown; metadata:service http;)
- alert tcp any any -> any $HTTP_PORTS (msg:”HTTP URI GET/POST contains ‘/56evcxv’ (Trickbot)”; sid:1; rev:1; flow:established,to_server; content:”/56evcxv”; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)
- alert icmp any any -> any any (msg:”TRICKBOT_ICMP_ANCHOR:ICMP traffic conatins ‘hanc'”; sid:1; rev:1; itype:8; content:”hanc”; offset:4; fast_pattern; classtype:bad-unknown;)
- alert tcp any any -> any $HTTP_PORTS (msg:”HTTP Client Header contains POST with ‘host|3a 20|*.onion.link’ and ‘data=’ (Trickbot/Princess Ransomeware)”; sid:1; rev:1; flow:established,to_server; content:”POST”; nocase; http_method; content:”host|3a 20|”; http_header; content:”.onion.link”; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:”data=”; distance:0; within:5; classtype:bad-unknown; metadata:service http;)
- alert tcp any any -> any $HTTP_PORTS (msg:”HTTP Client Header contains ‘host|3a 20|tpsci.com’ (trickbot)”; sid:1; rev:1; flow:established,to_server; content:”host|3a 20|tpsci.com”; http_header; fast_pattern:only; classtype:bad-unknown; metadata:service http;)
Hashes
- 7d57b8a21ea34fe0c01e801436f7b6e4
- 2b3ffb06fa94e535e0b474dc70d1b5e0
- 42a1b0d6f55b1b7143ab42b057765ba
- 80c8a7211e93fc8a3a52b103c7b92d60
- e05d85acc62b2795bfb94a681e64e20f
- 7cb195e05a78a39cacb0c0d4d4fa23e4c3366785
- 8d6ed63f2ffa053a683810f5f96c76813cdca2e188f16d549e002b2f63cee001
- 236f4e149402cba69141e6055a113a68f2bd86539365210afb9861f4e2d3ad5f
- 04eadc285ef0342a29997650eb0625eda6710ba6e8bb065b6e5ea5a09bf26db8
- b18968f545ec472e621bea49edae6532ba611fe99e4984e02d6d95f80d8e066e
- 62cf90d565675daf9b9f288e592c5c1331bab3a11f97130f0d7109791f2aab19
IP Address
- 36.37.176[.]6
- 74.131[.]16
- 185.118.167[.]120
Domains
- hxxp://myexternalip[.]com/raw
- hxxp://api.ipify[.]org/
- hxxps://snapfile[.]org/d/c7817a35554e88572b7b
- hxxp://canarytokens[.]com/tags/traffic/images/azp6ai8pg5aq0c619ur0qzi6h/post.jsp
- hxxp://Watson[.]Microsoft[.]com/StageOne/236f4e149402cba69141e6055a113a68f2bd86539365210afb9861f4e2d3ad5f/0_0_0_0/57b70f98/StackHash_ac38/0_0_0_0/00000000/c0000005/1a010044.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.1.17514&SM=LEN&SPN=647&BV=7UET92WW&MID=54046387-FC68-43CA-9068-077C0A157181
Files
- jdmowcibgc.exe
- executable.exe
- sample2.exe
- SHELL32.dll
- ntdll.dll
- KERNEL32.dll
- msvcrt.dll
How to Prevent TrickBot Malware?
Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect and prevent cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
Disclaimer
The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).