Digital Resilience Pays Off
How resilient is your organization? Learn how to mature your digital resilience with this free guide.
Trickbot Detections: Threat Research Release, July 2021
Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.
Criminal gangs are constantly improving their ways of delivering malicious code to victims. The delivery of this code is fundamental in order to subsequently install payloads that maximize the effect of exploitation and allows them to move laterally, and install further crimeware to quickly reap profits such as crypto mining, ransomware, data exfiltration, or even more sophisticated payloads such as banking fraud web injects. The Splunk Threat Research Team (STRT) addressed Trickbot in the July release. Trickbot is a very popular crimeware carrier (Trojan) associated with current campaigns.
Watch the video to understand how STRT has developed TrickBot detections for Splunk by using the Splunk Attack Range to collect the generated logs, and reverse engineering TrickBot examples.
What is a Trickbot?
Trickbot crimeware is a popular crimeware carrier — aka trojan — that has gained popularity in the criminal underground. Dating back to 2016, Trickbot is related to the banking malware DYREZA, which derives from the Zeus trojan. Both are incredibly effective at infecting and propagating botnets — one of the main financial drivers of the cybercriminal underground and the crimeware as a service economy. Initially focused on DDoS and Carding, botnets nowadays are mostly focused on crypto mining and ransomware. These two criminal vectors usually provide quick rewards to groups behind these botnets.
The effectiveness of trickbot crimeware comes basically in its stealthiness and versatility in installing payloads for further lateral movement and post-exploitation profit-driven activities such as cryptocurrency, ransomware, or banking fraud. STRT developed an analytic story targeting Trickbot TTPs. Also, STRT produced a whitepaper where there are further details on Trickbot modules and capabilities including the new Banking Web Injects.
Detections
The Splunk Threat Research Team has developed an Analytic Story to detect a TrickBot threat. This story is composed of the following searches:
Detection | Techniques | Tactic(s) | Notes |
Detection of Office Application Spawn rundll32 Process (new) | Initial Access | Detects Run Dynamic Link Library 32 child process via Microsoft Office App | |
Reconnaissance | Detects the use of Windows Error Manager executable to elicit a connection to an external service to determine the victim’s external IP address | ||
Defense Evasion | Detects the use of Windows Error Manager that creates executable files | ||
Execution | Detects the use of Windows Error Manager to spawn a terminal session or Powershell Process | ||
Execution, Persistence, Privilege Escalation | Detects the creation of a scheduled task where rundll32.exe is used to execute or spawn another process | ||
Defense Evasion, Privilege Escalation | Detects PowerShell process injection in some known windows processes | ||
Lateral Movement | Detects the creation of an executable targeting SMB Share | ||
Trickbot Named Pipe (new) | Defense Evasion, Privilege Escalation | Detects the creation of a Named Pipe or inter-process communication associated with the execution of Trickbot | |
Exfiltration | Detects the use of the HTTP POST method to exfiltrate data | ||
Discovery | Detects the use of a series of net commands for account discovery on the infected machine | ||
Suspicious Rundll32 Startw (Existing) | Defense Evasion | Detects Rundll32 with "StartW" parameter | |
Office Document Executing Macro Code (Existing) | Initial Access | Detects MS Office that executes macro code | |
Cobalt Strike Named Pipes (Existing) | Defense Evasion, Privilege Escalation | Detects Common Cobalt Strike named pipes | |
Suspicious Rundll32 Dllregisterserver (Existing) | Defense Evasion | Detects Rundll32 with "dllregisterserver" parameter | |
Attempt to Stop Security Service (Existing) | Defense Evasion | Detects Security Service termination |
Responding to Trickbot with Automated Playbooks
The following community Splunk SOAR playbooks can be used against Trickbot.
Name | Technique ID | Tactic | Description |
Execution | This playbook hunts for malware across managed endpoints, disables affected users, shuts down their devices, and blocks files by their hash from further execution via Carbon Black. | ||
Execution | This playbook tries to determine if a file is malware and whether or not the file is present on any managed machines. VirusTotal "file reputation" and PAN WildFire "detonate file" are used to determine if a file is malware, and CarbonBlack Response "hunt file" is used to search managed machines for the file. The results of these investigations are summarized in an email to the incident response team. | ||
Execution, Impact | This playbook detonates a file, and if it determines it is malicious, it blocks the hash from further execution, blocks any IPs it calls out to, hunts across your environment for other instances of the file, terminates any running executions of it, blocks any IPs it has made connections to, and quarantines affected devices. |
Why Should You Care About Trickbot?
As one of the most popular crimeware carriers, trickbot is constantly being deployed and updated to avoid detection and deploy newer and more effective post-exploitation payloads. It is very likely that Trickbot will remain one of the main players in exploitation campaigns and continues to expand its use in the crime as a service market.
For a full list of security content, check out the release notes on Splunk Docs:
Learn More
You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.
Feedback
Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.
Contributors
We would like to thank the whole threat research team Jose Hernandez, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Teoderick Contreras, Lou Stella and Patrick Bareiss for their contribution to this release.
Related Articles
About Splunk
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
Connect with Splunk on Instagram
Follow @Splunk
