SECURITY

Trickbot Detections: Threat Research Release, July 2021

Criminal gangs are constantly improving their ways of delivering malicious code to victims. The delivery of this code is fundamental in order to subsequently install payloads that maximize the effect of exploitation and allows them to move laterally, and install further crimeware to quickly reap profits such as crypto mining, ransomware, data exfiltration, or even more sophisticated payloads such as banking fraud web injects. The Splunk Threat Research Team (STRT) addressed Trickbot in the July release. Trickbot is a very popular crimeware carrier (Trojan) associated with current campaigns. 

Watch the video to understand how STRT has developed TrickBot detections for Splunk by using the Splunk Attack Range to collect the generated logs, and reverse engineering TrickBot examples. 

What is a Trickbot?

Trickbot crimeware is a popular crimeware carrier — aka trojan — that has gained popularity in the criminal underground. Dating back to 2016, Trickbot is related to the banking malware DYREZA, which derives from the Zeus trojan. Both are incredibly effective at infecting and propagating botnets — one of the main financial drivers of the cybercriminal underground and the crimeware as a service economy.  Initially focused on DDoS and Carding, botnets nowadays are mostly focused on crypto mining and ransomware. These two criminal vectors usually provide quick rewards to groups behind these botnets.  

The effectiveness of trickbot crimeware comes basically in its stealthiness and versatility in installing payloads for further lateral movement and post-exploitation profit-driven activities such as cryptocurrency, ransomware, or banking fraud. STRT developed an analytic story targeting Trickbot TTPs. Also, STRT produced a whitepaper where there are further details on Trickbot modules and capabilities including the new Banking Web Injects.

Detections

The Splunk Threat Research Team has developed an Analytic Story to detect a TrickBot threat. This story is composed of the following searches:

Detection

Techniques

Tactic(s)

Notes

Detection of Office Application Spawn rundll32 Process (new)

T1566.001

Initial Access

Detects Run Dynamic Link Library 32 child process via Microsoft Office App

Detect Wermgr Process Connecting to Check IP Services (new)

T1590.005

Reconnaissance

Detects the use of Windows Error Manager executable to elicit a connection to an external service to determine the victim’s external IP address

Wermgr Process Create Executable File (new)

T1027

Defense Evasion

Detects the use of Windows Error Manager that creates executable files

Wermgr Process Spawned CMD Or Powershell Process (new)

T1059

Execution

Detects the use of Windows Error Manager to spawn a terminal session or Powershell Process

Schedule Task With Rundll32 Command Trigger (new)

T1053

Execution, Persistence, Privilege Escalation

Detects the creation of a scheduled task where rundll32.exe is used to execute or spawn another process

Powershell Remote Thread To Known Windows Process (new)

T1055

Defense Evasion, Privilege Escalation

Detects PowerShell process injection in some known windows processes

Write Executable in SMB Share (new)

T1021.002

Lateral Movement

Detects the creation of an executable targeting SMB Share

Trickbot Named Pipe (new)

T1055

Defense Evasion, Privilege Escalation

Detects the creation of a Named Pipe or inter-process communication associated with the execution of Trickbot

Plain HTTP POST Exfiltrated Data (new)

T1048.003

Exfiltration

Detects the use of the HTTP POST method to exfiltrate data

Account Discovery With Net App (new)

T1087.002

Discovery

Detects the use of a series of net commands for account discovery on the infected machine

Suspicious Rundll32 Startw (Existing)

T1218.011

Defense Evasion

Detects Rundll32 with "StartW" parameter

Office Document Executing Macro Code (Existing)

T1566.001

Initial Access

Detects MS Office that executes macro code

Cobalt Strike Named Pipes (Existing)

T1055

Defense Evasion, Privilege Escalation

Detects Common Cobalt Strike named pipes

Suspicious Rundll32 Dllregisterserver (Existing)

T1218.011

Defense Evasion

Detects Rundll32 with "dllregisterserver" parameter

Attempt to Stop Security Service (Existing)

T1562.001

Defense Evasion

Detects Security Service termination

Responding to Trickbot with Automated Playbooks

The following community Splunk SOAR playbooks can be used against Trickbot. 

Name

Technique ID

Tactic

Description

Malware Hunt and Contain

T1204

Execution

This playbook hunts for malware across managed endpoints, disables affected users, shuts down their devices, and blocks files by their hash from further execution via Carbon Black.

Email Notification For Malware

T1204

Execution

This playbook tries to determine if a file is malware and whether or not the file is present on any managed machines. VirusTotal "file reputation" and PAN WildFire "detonate file" are used to determine if a file is malware, and CarbonBlack Response "hunt file" is used to search managed machines for the file. The results of these investigations are summarized in an email to the incident response team.

Ransomware: Investigate and Contain

T1204, T1486

Execution, Impact

This playbook detonates a file, and if it determines it is malicious, it blocks the hash from further execution, blocks any IPs it calls out to, hunts across your environment for other instances of the file, terminates any running executions of it, blocks any IPs it has made connections to, and quarantines affected devices.

Why Should You Care About Trickbot?

As one of the most popular crimeware carriers, trickbot is constantly being deployed and updated to avoid detection and deploy newer and more effective post-exploitation payloads. It is very likely that Trickbot will remain one of the main players in exploitation campaigns and continues to expand its use in the crime as a service market. 

For a full list of security content, check out the release notes on Splunk Docs:

  • 3.20.0 (part of May release, where the TrickBot detections first got released)
  • 3.25.0
  • 3.25.1
  • 3.26.0
     

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. 

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the whole threat research team Jose Hernandez, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Teoderick Contreras, Lou Stella and Patrick Bareiss for their contribution to this release.

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content