Trickbot | Technical Analysis of a Banking Trojan Malware

How fuboTV built a cloud-native streaming platform with GCP
March 28, 2019
Inventory View, Solution Identification and Ability to Mute Findings Now Available In Skyline
March 28, 2019
How fuboTV built a cloud-native streaming platform with GCP
March 28, 2019
Inventory View, Solution Identification and Ability to Mute Findings Now Available In Skyline
March 28, 2019

Banking trojans have been around forever–and they’ll be around for as long as we use the web for money transactions–but that doesn’t mean they are not useful to look at. Trickbot and Emotet have been on the increase recently, evolving with new features to escape sandboxes and bypass legacy security solutions. In this post, we’ll take a look inside a sample that was caught by SentinelOne.

This malware came to a customer as an email distributed payload:

File Hash (SHA1): 8cad6d7f47553b363698230c36c36cb39a80112

Decoding the First Stage of the Attack

While the file was blocked and no harm was done to the system, sometimes I like to see what would happen without protection. With the use of OLETOOLS we can take a look at the payloads embedded in the malicious file:

$: olevba Bofa_Charge01312019.xlsm

The code that gets returned is a little messy, but we can easily get what we need:

image of oletools

The main thing that we are looking at is the base64 encoded string:

image of encoded base64

Next, let’s decrypt and verify if it’s actually a file:

Image of decoding base64

Now that we know it’s a file, we can either rename and extract the gzip file or simply decompress the base64 string as we decode it. The first method is nice if you are trying to keep a copy of each attack phase:

Image of decoding base64 file

But if you really don’t need to keep the extra file, you can just decompress the stream as it decrypts.

Image of decode base64

Either way, we can get what we need for the next step:

image of function to download file

Now this looks pretty ugly, so we can clean it up with a “beautifier” plug-in for SublimeText or any other similar tool of your choice:

Image of cleaning up code

There’s a couple of key bits of information that we can collect from this.

First, this is a VBScript Function that is compressed and stored as a base64 string within the Excel Macro. The function is called and executes the script upon opening the document.

image of function call

We can also see that the payload is fetched from one of two remote servers:

image of code for each server

The code tells us that the payload is stored in the User’s Temp directory:

image of saving to temp file

Take note that the payload on the C2 server is called ‘za.liva’, but it will be saved as ‘tmp0281.exe’ on the local disk. After the payload is saved to the Temp directory, it is then executed.

image of executing temp file

Inspecting the Payloads

Let’s take a look at the payloads that are downloaded and see if the addresses are still active:

image of first payload

The first address looks to have since been taken offline, so it will not be of much use to us.

image of second payload

The second server looks to be still active, so we can continue the investigation. Since we have a C2 server up and running, we can attempt to download the malicious payload and see what this Excel document actually does.

image of using wget

Now that we have a SHA1 hash we can use VirusTotal to check it out.

image of checking virustotal

Based on what we see in VT, we can see that the file has a reputation for being malicious and that some of the detections are reporting it as a sample of the TrickBot banking trojan.

What Happens When Trickbot Executes?

So what happens when we execute it? To start with, there are a few interesting things that Procmon can show us. Initially, the malware duplicates itself to a new directory which is hidden in the User’s Roaming Profile:

image of roaming profile

Then, the payload targets and disables Windows Defender:

image of windows defender
image of windows defender

This is how Windows Defender looks before execution:

image of windows defender on

And after:

Image of Windows Defender Disabled

A scheduled task is then created.

image of scheduled task

image of general tab

image of triggers tab

image of actions tab

The History Tab is also set to ‘Disabled’ so that it will be hard to determine how long the machine has been infected.

The malware next creates a ‘Settings.ini’ file and a ‘Data’ folder.

image of creating settings ini file

Multiple modules will then be created within the ‘Data’ Folder starting with ‘systeminfo64’ (Testing was done on an amd64 machine).

image of multiple modules created

Here are the file hashes for the modules:

99BCA3D20DA3AF4DD53018EB7CD75E3E50922EE8
694132E09D7A24AA6597C07379844A3A121840AB
37F7F788C0BCBE92E58348A981FFD2609D847C21
02D14610C2B5829EC19C8EAE4E27F01DDEE3DED8
A58B2CD90D08E5E36B36C94DC018F87042E1D04A
9E823026C6DEF9736D3C33F70FB11EAACE597EDC
517429BD284236FAD97055B99110D5ACDA188590
3677933612060E4D5ECA257C58B8F7873287AD7E

There are also signs of the payload attempting to access the "HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliFormsStorage2" key, which matches the behavior of other known TrickBot versions. These have been known to use this to store hashes of URLs and their respective login information that have been collected.

image of hkey current user key

At the same time, Trickbot will examine the registry to verify which browser type is currently set as default.

Image of default browser setting

After dropping the modules to the ‘Data’ folder, the Trickbot malware creates and populates registry keys for ‘CertificateTransparencyEnforcementDisabledForUrls’ at the following path: HKLMSOFTWAREPoliciesGoogleChromeCertificateTransparencyEnforcementDisabledForUrls:

Image of disable Certificate transparency in browsers

This allows SSL encryption levels to be downgraded to less secure algorithms without the browser raising a big red flag.

How to Decode Trickbot Modules

Knowing that this is TrickBot we can take advantage of a tool from HASHEREZADE, who has a bunch of awesome tools for reversing and analyzing malware.

On the infected machine, we need to run the ‘make_bot_key-exe’ PE to gather the system botkey for decryption.

image of make bot key

This ‘botkey’ is then used to decrypt the modules:

./trick_config_decoder.py --botkey {BotKey} --datafile Data/{Module File Name}

image of trick bot config modules decoder

Now we can get a list of hashes for the decrypted DLLs:

cbd80eb5112a9560fbe7d9ce6fc0258af6415827 importDll64.dll
d37415147f5cdc74d4c0dbf5c67d5fc909643d5e injectDll64.dll
744a928e828c4f06f92a5354f63a14f15a98bff9 mailsearcher64.dll
374b411a00f513b002902870e216e56186b8c9b8 networkDll64.dll
de9caa99ca6c4f7892b3b9dfb9c9747bd503d753 psfin64.dll
70883aa0f396e0a2099a6eaa501cc2f7ce8c9ff8 shareDll64.dll
a3b021cf9dbb9e9bc67fa25f27be7ab71ce55d69 systeminfo64.dll
52a59062686fcfedbc207fddbed84395b4df0175 tabDll64.dll
8ad57a9acfd3940f2b044c2ab7777f8d051941f0 tpwgrabu64.dll
4f4601059e70e1d726ed10f44d989e00e7b21bbd wormDll64.dll

This also allows us to extract IPs and URLs from the Module config files, such as injectDll64_configs/dpost.out:

image of decoding iocs from injectDLL64

Summary

In this post, we have explored how to inspect a malicious file and determine its actions, the C2 servers it contacts, and the payloads it drops. We’ve also looked at some useful ways to analyse the payloads and extract indicators of compromise that we can feed into a SOC team or security solution software. Even without diving deep into the DLLs or the PEs themselves, we were able to obtain a great deal of information and a really nice list of IOCs for the Trickbot malware.


IOCs:

File Paths:
C:WindowsSystem32TasksSpeedNetworkTask
C:Users{Username}AppDataRoamingspeedNetwork

Registry Key:
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliFormsStorage2

Scheduled Tasks:
SpeedNetworkTest

PE/Document Hashes:
8cad6d7f47553b363698230c36c36cb39a80112
f91ed88e61b431ce883f75797ad36c5a4a9ca212

Module Hashes:
99BCA3D20DA3AF4DD53018EB7CD75E3E50922EE8
694132E09D7A24AA6597C07379844A3A121840AB
37F7F788C0BCBE92E58348A981FFD2609D847C21
02D14610C2B5829EC19C8EAE4E27F01DDEE3DED8
A58B2CD90D08E5E36B36C94DC018F87042E1D04A
9E823026C6DEF9736D3C33F70FB11EAACE597EDC
517429BD284236FAD97055B99110D5ACDA188590
3677933612060E4D5ECA257C58B8F7873287AD7E

Decrypted Module Hashes:
cbd80eb5112a9560fbe7d9ce6fc0258af6415827
d37415147f5cdc74d4c0dbf5c67d5fc909643d5e
744a928e828c4f06f92a5354f63a14f15a98bff9
374b411a00f513b002902870e216e56186b8c9b8
de9caa99ca6c4f7892b3b9dfb9c9747bd503d753
70883aa0f396e0a2099a6eaa501cc2f7ce8c9ff8
a3b021cf9dbb9e9bc67fa25f27be7ab71ce55d69
52a59062686fcfedbc207fddbed84395b4df0175
8ad57a9acfd3940f2b044c2ab7777f8d051941f0
4f4601059e70e1d726ed10f44d989e00e7b21bbd

Connections to:
185[.]20[.]184[.]74:80
188[.]246[.]233[.]53:443
92[.]38[.]149[.]49:443
hxxp://103[.]119[.]144[.]250:8082
hxxp://107[.]175[.]132[.]141:443
hxxp://141[.]255[.]167[.]125:443
hxxp://14[.]102[.]107[.]114:8082
hxxp://172[.]97[.]71[.]127:443
hxxp://181[.]115[.]156[.]218:80
hxxp://185[.]117[.]119[.]89:443
hxxp://185[.]20[.]184[.]74
hxxp://190[.]152[.]125[.]162:80
hxxp://192[.]210[.]152[.]173:443
hxxp://200[.]21[.]51[.]30:80
hxxp://212[.]80[.]216[.]228:443
hxxp://212[.]80[.]216[.]69
hxxp://31[.]202[.]132[.]5:443
hxxp://36[.]91[.]93[.]114:80
hxxp://75[.]183[.]130[.]158:8082
hxxp://96[.]36[.]253[.]146:8082
hxxp://97[.]87[.]127[.]198:80
hxxps://212[.]80[.]216[.]69:446


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Leave a Reply

Your email address will not be published. Required fields are marked *