Trickbot Malware

OVERVIEW TrickBot, initially developed as banking malware is now constantly evolving and aggregates powerful techniques to attack variety of organizations.

Trickbot is often used with other malware in multistage attacks.

www.sequretek.com TrickBot Malware

 OVERVIEW

▪ Banking Trojan TrickBot was developed in 2016, believed to be inspired by Dyre bot. It is distributed via malspam campaign containing malicious links and macro- enabled Word and Excel documents. If the attachment is opened, it will prompt the user to enable macros, which executes a VBScript to run a PowerShell script to download the malware. ▪ Some of the TrickBot campaign spreads malware via SMB protocol across the network. ▪ TrickBot’s main goal is to steal banking credentials and exfiltrate it to its command and control (C2) server. It can steal saved online account password in browsers, infected host’s login credentials, OpenSSH keys, Active Directory Services databases, cookies and web history. ▪ TrickBot’s modular nature provide flexibility to customization features and can drop additional malware like coin miner, Remote access tools, VNC or any ransomware on the infected system.

 TECHNICAL DETAILS

▪ TrickBot modules are delivered as Dynamic Link Libraries (DLLs), TrickBot loader loads TrickBot modules. ▪ Mainly TrickBot has two core modules Injectdll and systeminfo. ▪ Injectdll module is used to target banking and financial data, It monitors for banking website activity and uses web injects to steal financial information. Systeminfo is used to fingerprint the infected system. ▪ Other modules are also used for constantly adding new features to TrickBot: o ModuleDll/ImportDll: Harvests browser data (e.g. cookies and browser configurations). o Dinj: File contains banking information; uses server-side web injections o Dpost: Most of the data exfiltrated by TrickBot is sent to the dpost IP address o Sinj: Retains information on targeted online banks; Utilizes redirection attacks (fake web injections) to exfiltrate financial data o DomainDll: Uses LDAP to harvest credentials and configuration data from domain controller by accessing shared SYSVOL files.

TLP: GREEN P a g e | 2 www.sequretek.com

©copyright protected document TrickBot Malware

o OutlookDll: Harvests saved Microsoft Outlook credentials by querying several registry keys. o SqulDll: Force enables WDigest authentication and utilizes Mimikatz to scrape credentials from LSASS.exe. The worming modules use these credentials to spread TrickBot laterally across networks. o Mailsearcher: Compares all files on the disk against a list of file extensions. o networkDll, wormDll, shareDll: Used for network reconnaissance and lateral movement. o Pwgrab: Steals credentials, autofill data, history, and other information from browsers as well as several software applications. o rdpScanDll: Bruteforces RDP for a specific list of victims. o psfin: Point-of-sale recon module. o mshareDll and mwormDll: Lateral movement / enumeration module via LDAP and SMB exploitation. Mshare and mworm modules work in cooperation. o TabDll: Uses the EternalRomance exploit (CVE-2017-0147) to spread via SMBv1. ▪ After successful installation, TrickBot uses HTTP/HTTPS GET and POST requests to download modules and report stolen information/credentials to the C2 server. ▪ In multi stage attacks, after initially compromised by Emotet, TrickBot is delivered via spam/phishing and also delivers Ryuk ransomware. ▪ Recently Black Lives Matters (BLM)-themed malspam campaign was used to distribute TrickBot malware.

Figure 1: ‘Black Lives Matter’ TrickBot Malspam campaign TLP: GREEN P a g e | 3 www.sequretek.com

©copyright protected document TrickBot Malware

 INDICATORS OF COMPROMISE

IP Addresses 103[.]111[.]83[.]246 134[.]119[.]191[.]21 190[.]136[.]178[.]52 45[.]148[.]120[.]121 103[.]12[.]161[.]194 181[.]112[.]157[.]42 192[.]3[.]247[.]123 45[.]6[.]16[.]68 107[.]175[.]72[.]141 181[.]129[.]104[.]139 194[.]5[.]249[.]107 51[.]81[.]112[.]144 110[.]232[.]76[.]39 181[.]129[.]134[.]18 194[.]5[.]250[.]121 78[.]108[.]216[.]47 110[.]50[.]84[.]5 182[.]253[.]113[.]67 200[.]107[.]35[.]154 80[.]210[.]32[.]67 110[.]93[.]15[.]98 185[.]180[.]197[.]66 36[.]66[.]218[.]117 85[.]204[.]116[.]100 121[.]100[.]19[.]18 185[.]45[.]192[.]232 36[.]89[.]182[.]225 85[.]204[.]116[.]216 122[.]50[.]6[.]122 185[.]90[.]61[.]9 36[.]89[.]243[.]241 91[.]235[.]129[.]20 131[.]161[.]253[.]190 185[.]99[.]2[.]65 36[.]91[.]45[.]10 93[.]189[.]41[.]196 134[.]119[.]191[.]11 185[.]99[.]2[.]66 36[.]92[.]19[.]205 95[.]171[.]16[.]42

URLs hxxps://188[.]120[.]255[.]141:443/ hxxps://104[.]161[.]32[.]109:447/ hxxps://188[.]120[.]255[.]249:443/ hxxps://194[.]5[.]249[.]109:443/ hxxps://217[.]12[.]209[.]151:447/ hxxps://185[.]142[.]99[.]149:447/ hxxps://79[.]137[.]101[.]4:447/ hxxps://134[.]119[.]191[.]25:447/ hxxps://194[.]5[.]250[.]251:447/ hxxps://194[.]5[.]250[.]243:447/ hxxp://pinskdrev[.]market/tds.php hxxps://archive[.]saturn[.]mn/tds.php

TLP: GREEN P a g e | 4 www.sequretek.com

 PREVENTIVE AND CORRECTIVE DEFENCE ACTIONS

▪ Preventive Actions

o Block the IoCs in the corresponding security devices. o All these IoCs are combined in our Threat Intelligence Feed that is integrated with our SOC to provide proactive threat protection to our clients. o Employ content scanning and filtering on the organization mail servers. Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat. o Update your Operating system and software to latest version. o Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted. o Do not trust emails from untrusted source. o Do not open links and attachments from untrusted sources. o Back-up data, store it outside of network connection. o Use strong password and change it at regular interval. o Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared. o Keep a check on bank transfer activity from own accounts regularly. o Check on the Online banking links before entering credentials. o Do not provide User ID and password on any page that appears when you click on some link received through email. o Use multi-factor authentication.

▪ Corrective Actions

o If infected, disconnect the affected system from the Network. o Inform the Information Security Team. o Use antivirus or anti-malware software to clean the malware.

——————

TLP: GREEN P a g e | 5 www.sequretek.com