In this blog post, we’ll analyse a TrickBot binary with hash of 1bc7517f20b7b3e9d67c776f5e1bf7df.
TrickBot has a hardcoded configuration by default and this is no different in our binary. Often, when communicating with the C2, TrickBot may download an updated configuration. In our case, the same hardcoded configuration remains used throughout the whole infection chain.
The <ver> tag is indicative of the TrickBot version, which is 1000017. The <gtag> is the campaign ID and <srv> contains the C2 for the malware, for reporting back and downloading additional modules, while the <autorun> tag includes the modules to fetch. More often than not, these C2 servers are hacked devices, such as wireless routers.
When we execute the binary on our system, the first thing that is verified is our external IP, before contacting any of the C2s in the list. This is done by simply querying an array of APIs by popular external IP lookup websites until a response is received.
Afterwards, a POST request is sent to the C2 server, including the name of the machine, Operating System version, and a hash unique to the machine. An example request is as follows:
The U3VjY2Vzcw== value is base64 encoded and translates to ‘Success’, indicating a successful DLL injection into a browser’s process, enabling web injects.
The content of the HTTP POST request, including the information in the MIME data, is reminiscent of Dyre, a.k.a. Dyreza, a banking trojan which ceased to exist during the first months of 2016, believed to be as a consequence of Russian authorities raiding an office thought to be used by the Dyre cyber criminal gang.
Analysis also shows capability to generate a Domain Generation Algorithm (DGA) and use that for redirecting users to said domain, rather than the actual online banking website. The redirected site would be an exact duplicate of the actual banking website. The DGA always uses the same hardcoded, top level domains (TLD): .net, .org and .com. The first part of the domain always contains 28 random characters, for example, as also shown below: kbsavjthsyofzqnpburdxgciweam[.]net
The values in the POST request mentioned above are also reflected on disk in the current user’s %appdata% folder as different files; respectively group_tag (campaign ID) and client_id (machine name, OS build and unique hash). Additionally, a folder called Modules is created with encrypted DLLs and configuration, responsible for injection and gathering of system information, such as installed software, running services and processes, and much more.
Interestingly, it appears that the authors behind TrickBot deliver custom modules or payloads for specific targets. For example, a reference in the same decrypted DLL sets a specific configuration block, with additional references to ‘client work’.
This may suggest the TrickBot authors are also available ‘for hire’ by other cybercriminals or criminal affiliations.
Besides injecting DLLs into browser processes such as Internet Explorer or Mozilla Firefox and others. It also performs a technique known as process hollowing into a newly started svchost.exe process, and does this two times, resulting in two svchost.exe processes running as a child of the original binary.
Should a child or the parent process be killed, it will immediately be restarted, this due to the creation of a scheduled task, inconspicuously named as ‘ServiceTask’.
TrickBot’s configuration file shows an impressive number of targeted banks in a variety of regions, such as the UK, Australia and New Zealand, as well as banks in China and Singapore. This shows the TrickBot authors like to perform opportunistic targeting, harvesting as many credentials as possible. We expect the TrickBot authors to increase their targeting of banks and more specifically Western banks, using the flexible method of a configuration file to provide the web injects.
TrickBot appears to be in continuous development by simultaneously providing more options to its modular malware, as well as extending the list of targeted banks. While TrickBot is not nearly as much used as other known banking trojans, PwC analysts predict a considerate uptick of this malware in the coming months. We continue to monitor this particular banking trojan.
Threat Intelligence Analyst, PwC United Kingdom