Analysis of TrickBot Malware – the most prolific COVID-19 themed malware

Analysis of TrickBot Malware – the most prolific COVID-19 themed malware

In this article you will learn about: 

  • Distribution techniques of TrickBot malware 
  • Different modules and tasks of the TrickBot payload 
  • Tips to prevent infection by this malware. 

TrickBot is a constantly evolving Trojan-type malware used primarily to steal data and deploy ransomware, available in a Malware-as-a-Service (MaaS) model and being offered to cybergangs and APT groups. Its modularity and versatility make it a very popular tool by cyber adversaries. 

As a follow-up to our last TrickBot related article, we are going to talk more in-depth about TrickBot, various techniques it uses and also about mitigations to protect against it. 

Distribution Techniques: 

TrickBot is a malware that emerged in late 2016 and has been active to this day. During its lifetime, various techniques has been used to spread the Trojan, ranging from various fake installers to spam email campaigns. 

During the 2020 COVID-19 pandemic, TrickBot gained a lot of attention from cybersecurity professionals, as it was named the most prolific malware using COVID-19 as a lure by Microsoft. Infected emails usually offered free testing, welfare or pandemic-related legal documents. 

 

An example of a malicious e-mail

An example of a malicious e-mail

 

The goal of such e-mails is always to convince user to open and download malicious files. 

Payload download: 

When malicious documents are opened, TrickBot authors use social engineering techniques centered around compatibility issues with Microsoft Office to persuade user into disabling security restrictions and running heavily-obfuscated VBA macros

 

An example of a malicious document

An example of a malicious document

 

Before the 2019, VBA files usually downloaded an obfuscated PowerShell script, which then downloaded the payload. However, in the first half of 2019, TrickBot switched to a JavaScript-based downloader called Ostap.  

Ostap is one of the most technically advanced malware downloaders today. While other downloaders usually consist of a few dozens or hundreds of lines of codes, Ostap has more than 30 000 lines of code. 

To resist analysis, Ostap utilizes tricks like detecting process names related to sandbox environments, like VBoxService.exe, or detecting usernames used by automated analysis tools.  

Some strains of the TrickBot malware even use Emotet malware as a second-stage loader, which is a banking Trojan turned loader, now used to spread other malware.  

 

Cyber Resilience and Response Subscription Program 

Time is of the essence when cyber-attacks happens. The LIFARS Cyber Resilience and Response Subscription Program, provides the manpower and expertise to immediately respond and remediate to cyber incidents and breaches, in addition to providing a full array of services to increase your company’s cyber resiliency. 

Payload 

The payload is stored inside %AppData% or %ProgramData% folders and persistence is achieved by creating a scheduled task. 

TrickBot trojan features a modular architecture and gets very often updated with new features. Each module is injected into svchost.exe process to evade detection. It consists of several modules each designed for a specific task; 

System/network information gathering: 
  • systeminfo64 – Gathers basic information about hosts, like operating system, processor, installed programs, etc. 
  • networkDll64 – Gathers even more system information, like serial number, organization, usernames, domain name and uses tools like net, ipconfig and nltest to list all network adapters, domain controllers, domains and shares. 
  • psfin64 – Identifies lucrative point-of-sale targets like stores, kiosks and payment terminals.  
Credentials theft: 
  • pwgrab64 – Steals credentials from browsers, various RDP/SSH related services or even password managers.  
  • outlookDll – Steals Outlook credentials. 
  • squlDll64 – Uses Mimikatz to steal credentials from Windows. 
  • injectDll64 – Injects libraries into browsers to steal credentials from banking websites. 
  • importDll64 – Steals data like web history, local storage, cookies from browser databases. 
Worm-like capabilities: 
  • wormDll64 – Abuses protocols like SMB and LDAP to spread itself across the network. 
  • tabDll64- Exploits CVE-2017-0144 vulnerability, also used by the infamous WannaCry ransomware, to spread itself to unpatched devices. 
Remote access: 
  • vncDll64 – A remote desktop toolkit, which allows to capture and interact with user’s desktop. 

TrickBot also include robust post-exploitation frameworks Empire and PowerSploit. Their capabilities include privilege escalation using techniques like UAC bypass and DLL hijacking, credential theft using pass-the-hash technique or gaining persistence using registry, task scheduler or entirely fileless via WMI. 

Preventing TrickBot infections and limiting its impact: 

  1. Block or restrict macros and ActiveX in Microsoft Office. 
  2. Use Application Control for code-restrictions. 
  3. Enable Credential Guard to protect credentials. 
  4. Use Attack Surface Reduction policies to block obfuscated scripts, restrict launching executable content from scripts and to harden Microsoft Office applications. 
  5. Enable svchost.exe mitigations to restrict non-Microsoft-signed code from being injected. 
  6. Disable Extension Points in Exploit Guard for sensitive processes to prevent code injection. 
  7. Make sure that valuable systems, like point-of-sale devices, are on an isolated network. 
  8. Disable potentially vulnerable networking protocols, like SMB v1, across your network. 
  9. Always use strong credentials for sensitive services like RDP/SSH and implement protections against credential brute-forcing. 

Conclusion 

Modular architecture, frequent updates and advanced techniques make TrickBot both hard to detect and extremely dangerous. With many credential stealing modules, TrickBot can easily spread and infect multiple departments or even an entire company. This has allowed TrickBot to stay relevant for all these years. 

 

Concerned About Data Theft? 

Invest in A Penetration Test Today, Call LIFARS For More Information 

Email: contact@lifars.com | Call us at:(212) 222-7061 

 

 

 


Credits: 

Microsoft Security Intelligence 

https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/ 

https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/  

https://threatresearch.ext.hp.com/deobfuscating-ostap-trickbots-javascript-downloader/