Malware has become an industry segment and professional developers are found to exchange, steal each other’s code and engage in collaborations. Attacks are multi-layer with diverse sophisticated software apps taking over different jobs along the attack chain from initial compromise to ultimate data exfiltration or encryption. The specific tools for each stage are highly specialized and can often be rented as a service such as Malware as a Service (MaaS0), including customer support and subscription models for professionals. This has increased both the availability and the potential effectiveness and impact of malware for all actors and groups.
The apparent professionalization may have some good aspects too. One factor is that certain reused modules commonly found in malware can be used to identify, track, and analyze professional attack software. This means that, with enough experience, skilled analysts can detect and stop malware in its tracks, often with minimal or no damage (if the attackers make it through the first defense lines at all).
Origins of Trickbot:
Investigators have been tracking the specific malware named Trickbot for years. It is commonly attributed to a specific Threat Actor generally known under the name of Wizard Spider, UNC1778 (FireEye) or Gold Blackburn.
Trickbot is a popular and modular Trojan initially used in targeting the banking industry. It has been used to compromise companies from other industries too. It delivers several types of payloads. Trickbot evolved progressively to be used as Malware-as-a-Service (MaaS) by different attack groups.
The threat actor behind it is known to act quickly, using the well-known post-exploitation tool Cobalt Strike to move laterally on the company network infrastructure and deploy ransomware like Ryuk or Conti as a final stage. As it is used for initial access, being able to detect this threat as quickly as possible is a key element of success for preventing further attacks.
This threat analysis will be focused on the threat actor named TA551, and its use of Trickbot as an example. We will present how analysts were able to perform detection at the different steps of the kill chain, starting from the initial infection through Malspam campaigns, moving on to the detection of tools used by the threat actor during compromise.
1 — Initial access
In June 2021, the group TA551 started delivering the Trickbot malware using an encrypted zip. The email pretext mimics important information to reduce the vigilance of the user.
The attachment includes a .zip file which again includes a document. The zip file always uses the same name as "request.zip" or "info.zip", and the same name for the document file.
The Threat Actor used the same modus operandi before/in parallel to Trickbot to deliver other malware. We observed during the same period, from June 2021 to September 2021, the use of Bazarloader on the initial access payload.
2 — Execution
When the user opens the document with macros enabled, an HTA file will be dropped on the system and launched using cmd.exe. The HTA file is used to download the Trickbot DLL from a remote server.
This behavior is related to TA551, we can identify it with the pattern "/bdfh/" in the GET request.
GET /bdfh/M8v[..]VUb HTTP/1.1
Patterns related to TA551 evolved with time, since mid-August 2021, the pattern changed to "/bmdff/". The DLL is registered as a jpg file to hide the real extension, and it tries to be run via regsvr32.exe. Then, Trickbot will be injected into "wermgr.exe" using Process Hollowing techniques.
3 — Collection
After the successful initial system compromise, Trickbot can collect a lot of information about its target using legitimate Windows executables and identify if the system is member of an Active Directory domain.
Additionally, to this collection, Trickbot will scan more information like Windows build, the public IP address, the user that is running Trickbot, and also if the system is behind an NAT firewall.
Trickbot is also able to collect sensitive information like banking data or credentials, and exfiltrate it to a dedicated command and control server (C2).
4 — Command & Control
When the system is infected, it can contact several kinds of Trickbot C2. The main C2 is the one with which the victim system will communicate, mainly to get new instructions.
All requests to a Trickbot C2 use the following format:
information about the command>/"
GET /zev4/56dLzNyzsmBH06b_W10010240.42DF9F315753F31B13F17F5E731B7787/0/Windows 10 x64/1108/XX.XX.XX.XX/38245433F0E3D5689F6EE84483106F4382CC92EAFAD5120
All data collected is sent to a separate Exfiltration Trickbot C2 using HTTP POST request methods. The request format keeps the same, but the command "90" is specific to data exfiltration, more precisely system data collected off the infected system.
POST /zev4/56dLzNyzsmBH06b_W10010240.42DF9F315753F31B13F17F5E731B7787/90/ HTTP/1.1
Content-Type: multipart/form-data; boundary=------Bound
Follow-up attacks: Cobalt Strike, Ryuk, Conti
Cobalt Strike is a commercial, fully-featured, remote access tool that calls itself an "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike's interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.
In our context, Trickbot uses the highjacked wermgr.exe process to load a Cobalt Strike beacon into memory.
Several ransomware operators are affiliated to the threat actors as well. The aim of Trickbot is to perform the initial access preceding the actual ransomware attack. Conti and Ryuk are the main ransomwares observed on the final stage of Trickbot infections, though by far not the only ones. Conti is a group that operates a Ransomware-as-a-Service model and is available to several affiliate threat actors. Ryuk on the other hand is a ransomware that is linked directly to the threat actor behind Trickbot.
Key findings - Threat actors often still use basic techniques to get into the network like phishing emails. Raising awareness about phishing is definitely a great first step in building up cyber resilience. The best attacks are, after all, the ones that never even get started.
There is no such thing as bullet-proof preventive protection in cyber. It is important to have the capability of detecting Trickbot at an early stage. Though the attack chain can be broken at every stage along the way: the later it is, the higher the risk of full compromise and the resulting damage. Trickbot is used by different threat actors, but the detection approach stays the same on most of its specific stages. Some of the indicators of compromise are explained here. But malware gets updates too.
Analysts have to stay vigilant. Tracking and watching a specific malware or a threat actor is a key to follow its evolution, improvement, and keep up to date about an efficient detection of the threat.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings