SECURITY

Trickbot Detections: Threat Research Release, July 2021

By Splunk Threat Research Team August 05, 2021

Criminal gangs are constantly improving their ways of delivering malicious code to victims. The delivery of this code is fundamental in order to subsequently install payloads that maximize the effect of exploitation and allows them to move laterally, and install further crimeware to quickly reap profits such as crypto mining, ransomware, data exfiltration, or even more sophisticated payloads such as banking fraud web injects. The Splunk Threat Research Team (STRT) addressed Trickbot in the July release. Trickbot is a very popular crimeware carrier (Trojan) associated with current campaigns.

Watch the video to understand how STRT has developed TrickBot detections for Splunk by using the Splunk Attack Range to collect the generated logs, and reverse engineering TrickBot examples.

What is a Trickbot?

Trickbot crimeware is a popular crimeware carrier — aka trojan — that has gained popularity in the criminal underground. Dating back to 2016, Trickbot is related to the banking malware DYREZA, which derives from the Zeus trojan. Both are incredibly effective at infecting and propagating botnets — one of the main financial drivers of the cybercriminal underground and the crimeware as a service economy. Initially focused on DDoS and Carding, botnets nowadays are mostly focused on crypto mining and ransomware. These two criminal vectors usually provide quick rewards to groups behind these botnets.

The effectiveness of trickbot crimeware comes basically in its stealthiness and versatility in installing payloads for further lateral movement and post-exploitation profit-driven activities such as cryptocurrency, ransomware, or banking fraud. STRT developed an analytic story targeting Trickbot TTPs. Also, STRT produced a whitepaper where there are further details on Trickbot modules and capabilities including the new Banking Web Injects.

Detections

The Splunk Threat Research Team has developed an Analytic Story to detect a TrickBot threat. This story is composed of the following searches:

Detection	Techniques	Tactic(s)	Notes
Detection of Office Application Spawn rundll32 Process (new)	T1566.001	Initial Access	Detects Run Dynamic Link Library 32 child process via Microsoft Office App
Detect Wermgr Process Connecting to Check IP Services (new)	T1590.005	Reconnaissance	Detects the use of Windows Error Manager executable to elicit a connection to an external service to determine the victim’s external IP address
Wermgr Process Create Executable File (new)	T1027	Defense Evasion	Detects the use of Windows Error Manager that creates executable files
Wermgr Process Spawned CMD Or Powershell Process (new)	T1059	Execution	Detects the use of Windows Error Manager to spawn a terminal session or Powershell Process
Schedule Task With Rundll32 Command Trigger (new)	T1053	Execution, Persistence, Privilege Escalation	Detects the creation of a scheduled task where rundll32.exe is used to execute or spawn another process
Powershell Remote Thread To Known Windows Process (new)	T1055	Defense Evasion, Privilege Escalation	Detects PowerShell process injection in some known windows processes
Write Executable in SMB Share (new)	T1021.002	Lateral Movement	Detects the creation of an executable targeting SMB Share
Trickbot Named Pipe (new)	T1055	Defense Evasion, Privilege Escalation	Detects the creation of a Named Pipe or inter-process communication associated with the execution of Trickbot
Plain HTTP POST Exfiltrated Data (new)	T1048.003	Exfiltration	Detects the use of the HTTP POST method to exfiltrate data
Account Discovery With Net App (new)	T1087.002	Discovery	Detects the use of a series of net commands for account discovery on the infected machine
Suspicious Rundll32 Startw (Existing)	T1218.011	Defense Evasion	Detects Rundll32 with "StartW" parameter
Office Document Executing Macro Code (Existing)	T1566.001	Initial Access	Detects MS Office that executes macro code
Cobalt Strike Named Pipes (Existing)	T1055	Defense Evasion, Privilege Escalation	Detects Common Cobalt Strike named pipes
Suspicious Rundll32 Dllregisterserver (Existing)	T1218.011	Defense Evasion	Detects Rundll32 with "dllregisterserver" parameter
Attempt to Stop Security Service (Existing)	T1562.001	Defense Evasion	Detects Security Service termination

Responding to Trickbot with Automated Playbooks

The following community Splunk SOAR playbooks can be used against Trickbot.

Name	Technique ID	Tactic	Description
Malware Hunt and Contain	T1204	Execution	This playbook hunts for malware across managed endpoints, disables affected users, shuts down their devices, and blocks files by their hash from further execution via Carbon Black.
Email Notification For Malware	T1204	Execution	This playbook tries to determine if a file is malware and whether or not the file is present on any managed machines. VirusTotal "file reputation" and PAN WildFire "detonate file" are used to determine if a file is malware, and CarbonBlack Response "hunt file" is used to search managed machines for the file. The results of these investigations are summarized in an email to the incident response team.
Ransomware: Investigate and Contain	T1204, T1486	Execution, Impact	This playbook detonates a file, and if it determines it is malicious, it blocks the hash from further execution, blocks any IPs it calls out to, hunts across your environment for other instances of the file, terminates any running executions of it, blocks any IPs it has made connections to, and quarantines affected devices.

Why Should You Care About Trickbot?

As one of the most popular crimeware carriers, trickbot is constantly being deployed and updated to avoid detection and deploy newer and more effective post-exploitation payloads. It is very likely that Trickbot will remain one of the main players in exploitation campaigns and continues to expand its use in the crime as a service market.

For a full list of security content, check out the release notes on Splunk Docs:

3.20.0 (part of May release, where the TrickBot detections first got released)
3.25.0
3.25.1
3.26.0

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the whole threat research team Jose Hernandez, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Teoderick Contreras, Lou Stella and Patrick Bareiss for their contribution to this release.

Posted by

Splunk Threat Research Team

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.