Cyber threat analysts recently uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components. TrickBot is a module-based malware that, while first identified as a banking trojan, has gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps. The malware has also evolved to send spam to victim email lists, adopt new detection evasion methods and act as a delivery vehicle for other malware.
Red Sky Alliance analysts believes with medium confidence that Trickbot actors are Russian.[1] We first reported on Trickbot in 2016 when it emerged targeting banks in Australia.[2] Red Sky Alliance followed its infrastructure and password-stealing module evolution.[3] We reported new Trickbot delivery method that employs a multi-stage evasion technique which starts with an HTML file with a message enticing the user to click download and retrieve a malicious Word document.[4] More recently, the operators behind the malware appear to be upgrading their anti-detection methods.
Ransomware attacks are usually the result of a network becoming infected with the TrickBot Trojan first, which is usually installed through malicious attachments in phishing emails. TrickBot is an information-stealing Trojan that will steal data from an infected computer and then attempt to spread laterally through the network. After harvesting all valuable data from a network, it then proceeds to open a shell back to the ransomware actors who will then proceed to harvest data from the network as well and gain administrator credentials. After the ransomware has infected all devices on the network, the ransom payment demands begin. And the threats to release confidential data.[5] As of late March 2020, even the ongoing COVID-19 pandemic didn’t stop Trickbot/ransomware attacks against hospitals.[6]
The new TrickBot variant works in a victim’s machine quickly. The technologies it uses to perform anti-analysis, as well as how the payload of TrickBot communicates with its C&C server to download the modules has been upgraded. This is one more example of how the cyber threat actors are trying to stay ahead of cyber defenders. Researchers discovered the latest variant in a malicious Word document, which they believe is part of a phishing campaign. When the malicious Word document is opened, it asks the victim to “Enable Content,” which then executes a malicious Macro (in VBA code) is executed. The VBA code then extracts a file (“C:\AprilReport\List1.jse”) which eventually runs a huge JavaScript file called “List1.jse.”
Cyber threat analysts have noted several anti-analysis techniques utilized by this JavaScript file, including heavy obfuscation to protect the API function calls and constant strings associated with the malware’s attack chain from being identified. Observed in the new behavior for this variant, once executed, the JavaScript code first waits for about one minute. This behavior makes it seem inert, helping it to bypass any auto-analysis tools. After waiting, the JavaScript file then executes a command (“Select * from Win32_Process”) to obtain all running processes on the victim’s system. It then puts all the names of these obtained processes together and checks to see if its length is less than 3,100. This appears to be another new anti-analysis functionality. If [the length is less than 3,100], it will raise an exception and close. Usually, on a real computer, this length is larger than 3100. In this measure, it is better able to bypass many auto-analysis systems, including Sandboxes and Virtual Machines.
In another change for TrickBot, the downloaded payload in the latest variant is a DLL (dynamic link-library) file (that is run by “rundll32.exe”) while in the previous variant, the payload was an .exe file. After downloading the TrickBot payload in a file in the %temp% folder, the JavaScript file then copies itself into the Windows startup folder so it can start whenever Windows OS starts. This persistence method is another key differentiator from previous versions of TrickBot, which used to install themselves as a Scheduled Task or be added into the system registry’s Auto-Run group to maintain persistence.
Once the payload is executed, it is like previous versions of the TrickBot malware. The payload downloads modules from its Command and Control (C2) server and loads and executes them. These modules include an array of commands, including submitting the victim’s system information and global IP address to the C2 server; exfiltrating data (such as Log on User Name, network status, credentials etc.); querying the C2 server for various tasks.[7]
In another slight modification, the newest TrickBot variant also integrates the module “systeminfo” into the payload file, which was a standalone module before. This command tells the server that the “systeminfo” module was a success. While before, “systeminfo” was a DLL file used to collect system information from the victim’s device and then send it to its server, the module is already integrated into latest version of TrickBot. The newest variant also reflects a change in the command used to request up-to-date server configuration data. The configuration is now “1000502,” rather than the previous configuration “1000004.”
Red Sky Alliance has been has analyzing and documenting cyber threats for 8 years and maintains a resource library of malware and cyber actor reports. The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is in New Boston, NH USA and is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email feedback@wapacklabs.com
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
[1] https://redskyalliance.org/xindustry/king-servers
[2] files.slack.com/files-pri/T71KHUTDM-F8LFG5QBW/download/pir_trickbot.pdf
[3] files.slack.com/files-pri/T71KHUTDM-FEE372WTV/download/tir-18-331-001_trickbot_pwgrab.pdf
[4] files.slack.com/files-pri/T71KHUTDM-FKU9JHB37/download/ir-19-172-002_trickbot_new_delivery_methods.pdf
[5] bleepingcomputer.com/news/security/ryuk-ransomware-behind-durham-north-carolina-cyberattack/
[6] twitter.com/AltShiftPrtScn/status/1243166479903834112
[7] threatpost.com/new-trickbot-variant-updates-anti-analysis-tricks/153616/
Comments