By Splunk Threat Research Team July 21, 2021
The Splunk Threat Research Team has assessed several samples of Trickbot, a popular crimeware carrier that allows malicious actors to deliver multiple types of payloads. These samples have been found in use during recent campaigns, and the team has identified the presence of specific tools designed to inject malicious code into victims’ browsers, known as Web Injects, which work as custom elements that allow attackers to perform operations on top of the victim's web session while seeming legitimate. We also took a look at several modules, including LDAP querying capabilities and Cobalt Strike delivery, which has been observed in recent campaigns.
Trickbot Trojan is said to be related to Zeus and Dyre crimeware and has been active since the year 2016. Trickbot has been used in multiple campaigns targeting financial services and other verticals; due to its versatile nature, recently it has also been observed targeting single users via traffic infringement phishing. Trickbot is attributed to the following actors, according to CISA:
- Wizard Spider (CrowdStrike)
- UNC1878 (Fireyee)
- Gold Blackburn (SecureWorks)
The web injects are post-exploitation code artifacts delivered and executed via trickbot. They are specifically designed for targeted sites (financial institutions, cryptocurrency exchanges, telco service providers). The samples analyzed by the Splunk Threat Research Team include major U.S financial institutions, telecom organizations and cryptocurrency exchanges, among others. Although web injects are not new, they are very difficult to detect, and they usually defeat most available defenses — PINs, CAPTCHA and even two-factor authentication applications.
The web inject code is delivered post-compromise via trickbot. Trickbot crimeware is delivered by multiple methods from direct malicious links, infected documents, or even direct exploitation of internet-exposed hosts or lateral movement; Trickbot malware possesses several functions and features that allow usage of different exploitation methods and post-exploitation payloads.
The following graphic is an example of an infected document:
This Excel document will download and load a malicious trickbot .dll using rundll32 windows application, as seen in the next graphic. The macro is written in a hidden xls sheet in white font, so as to be invisible to the user.
Once this document is executed in a vulnerable host, it proceeds to execute loader and contact Command and Control servers. It will inject its code to the “wermgr.exe” process to do its malicious routine. Below is a snippet of procmon CSV logs during the trickbot execution. Notice that the wermgr.exe process was created by the same rundll32 process that loads the trickbot malware (in this case 1.dll).
By decoding the big encoded string on the trickbot dll loader upon unpacking it in memory, we can see a list of web services that trickbot uses to look for the IP address of the infected machines.
Throughout the infection process, Trickbot will also establish persistence. This is done via the creation of a scheduled task. We also analyzed a trickbot module identified as wormDll64.dll. This module allows trickbot to move laterally and collect LDAP information from compromised networks.
The function below enumerates all servers visible in the windows active directory domain network; it also checks if the infected machine is part of the workgroup.
Trickbot also uses the eternal blue exploitation code. CVE-2017-0144 is a vulnerability that allows remote code execution on machines with vulnerable SMB versions.
Other modules from the trickbot analyzed samples — such as systeminfo64.dll, sharedll64.dll, psinf64.dll, and networkdll64.dll — include full system enumeration, LDAP query, and share enumeration which allows trickbot to copy itself to other systems, shared folders, and download further payloads.
Web Injects
As stated previously in this blog, Web Injects are not new. However, they are a very powerful crime tool and very difficult to detect. Web Injects can bypass most of the current defenses, including 2FA tools. Before Web Injects can be executed, there must be a process of exploitation which can be done via several methods, once the client has been infected with trickbot and the Web Inject file is in place. This is a process that is triggered by the victim browsing specific websites which are specified within the Web Inject config file. Then the trickbot proceeds to exfiltrate data and execute operations on top of the victim’s session to perform fraudulent operations such as transferring money from accounts to foreign institutions.
It is important to understand that in appearance these pages which the victim is visiting look exactly like any other standard normal banking session, but in the background the code injected allows attackers to perform different types of operations. In some cases, the Web Injects code, for example, keeps an account balance at its initial amount to the user’s view, even though in the background, money has already been transferred to a different account, usually to a foreign financial institution in countries where cybersecurity laws are very lax or where there is even complicity from destination country’s regime.
Injdll64.dll Web Inject Payload
This module consists of web injects targeting several banking sites. It creates a namepipe \.\pipe\pidplacesomepipe where “PID” will be changed to the actual target process ID at runtime, which is sometimes four characters (e.g., “\.\pipe\1844lacesomepipe”). The payload32.dll (a .dll created during the infection process in this sample) is a payload that will be decompressed and injected within the browser session through a reflective dll injection technique to do its main task as a banking trojan.
The following is a snippet snapshot of decrypted trickbot config samples.
As seen in the researched code, the Web Injects principally target login sites for several financial institutions, cryptocurrency exchanges and telco service providers. In some instances, the targeted URI indicates the targeting of balances, transfers and account settings. Such sections usually contain the elements necessary to make deposits, send transfers or change account settings, such as authentication or private information from account holders.
Detections
The Splunk Threat Research Team has developed a Trickbot analytic story to address this threat. This story is composed of the following searches:
Detection |
Techniques |
Tactic(s) |
Notes |
Detection of Office Application Spawn rundll32 Process (new) |
Initial Access |
Detects Run Dynamic Link Library 32 child process via Microsoft Office App |
|
Reconnaissance |
Detects the use of Windows Error Manager executable to elicit a connection to an external service to determine the victim’s external IP address |
||
Defense Evasion |
Detects the use of Windows Error Manager that creates executable files |
||
Execution |
Detects the use of Windows Error Manager to spawn a terminal session or Powershell Process |
||
Execution, Persistence, Privilege Escalation |
Detects the creation of a scheduled task where rundll32.exe is used to execute or spawn another process |
||
Defense Evasion, Privilege Escalation |
Detects PowerShell process injection in some known windows processes |
||
Lateral Movement |
Detects the creation of an executable targeting SMB Share |
||
Trickbot Named Pipe (new) |
Defense Evasion, Privilege Escalation |
Detects the creation of a Named Pipe or inter-process communication associated with the execution of Trickbot |
|
Exfiltration |
Detects the use of the HTTP POST method to exfiltrate data |
||
Discovery |
Detects the use of a series of net commands for account discovery on the infected machine |
||
Suspicious Rundll32 Startw (Existing) |
Defense Evasion |
Detects Rundll32 with "StartW" parameter |
|
Office Document Executing Macro Code (Existing) |
Initial Access |
Detects MS Office that execute macro code |
|
Cobalt Strike Named Pipes (Existing) |
Defense Evasion, Privilege Escalation |
Detects Common Cobalt Strike named pipes |
|
Suspicious Rundll32 Dllregisterserver (Existing) |
Defense Evasion |
Detects Rundll32 with "dllregisterserver" parameter |
|
Attempt to Stop Security Service (Existing) |
Defense Evasion |
Detects Security Service terminations |
Hashes
File name |
Sha256 |
Injdll64.dll |
5c9f626665a5f6e91599df85f3a1ae07258b9c3b8fc72eff56082ce9cb2c4394 |
wormDll64.dll |
74e9d233177ca996df3eeda88af9ff2d7f87bace0726b0516ecf3be7dcb59f71 |
Trickbot loader |
01b6ab63f7078d952ed1a18850ac202bc201aa6210592c108a2e0a4d16f06fc5 |
XLSM Macro |
ed03ded8aabe6685d536c26d55e9685a05e6e148c4c5b56b73faa5d81c9c083a |
The aforementioned current and new detections should help address this threat, with Trickbot being one of the main Ransomware carriers. Ongoing campaigns are not only a threat to companies operations; recent incidents reveal that ransomware has endangered human life, affected many governments and school organizations and even military bases.
Ransomware is now the top priority in cybersecurity. The Splunk Threat Research team will continue addressing ransomware variants and sharing their detection with the community. Please download our latest content at Splunkbase, or check out our Github repository.