TrickBot’s bag of tricks

Bart Parys Threat Intelligence Analyst, PwC United Kingdom 26/05/17

In this blog post, we’ll analyse a TrickBot binary with hash of 1bc7517f20b7b3e9d67c776f5e1bf7df.

TrickBot has a hardcoded configuration by default and this is no different in our binary. Often, when communicating with the C2, TrickBot may download an updated configuration. In our case, the same hardcoded configuration remains used throughout the whole infection chain.


The <ver> tag is indicative of the TrickBot version, which is 1000017. The <gtag> is the campaign ID and <srv> contains the C2 for the malware, for reporting back and downloading additional modules, while the <autorun> tag includes the modules to fetch. More often than not, these C2 servers are hacked devices, such as wireless routers.

Analysis

When we execute the binary on our system, the first thing that is verified is our external IP, before contacting any of the C2s in the list. This is done by simply querying an array of APIs by popular external IP lookup websites until a response is received.

Afterwards, a POST request is sent to the C2 server, including the name of the machine, Operating System version, and a hash unique to the machine. An example request is as follows:

The U3VjY2Vzcw== value is base64 encoded and translates to ‘Success’, indicating a successful DLL injection into a browser’s process, enabling web injects. 

The content of the HTTP POST request, including the information in the MIME data, is reminiscent of Dyre, a.k.a. Dyreza, a banking trojan which ceased to exist during the first months of 2016, believed to be as a consequence of Russian authorities raiding an office thought to be used by the Dyre cyber criminal gang.

Analysis also shows capability to generate a Domain Generation Algorithm (DGA) and use that for redirecting users to said domain, rather than the actual online banking website. The redirected site would be an exact duplicate of the actual banking website. The DGA always uses the same hardcoded, top level domains (TLD): .net, .org and .com. The first part of the domain always contains 28 random characters, for example, as also shown below: kbsavjthsyofzqnpburdxgciweam[.]net

The values in the POST request mentioned above are also reflected on disk in the current user’s %appdata% folder as different files; respectively group_tag (campaign ID) and client_id (machine name, OS build and unique hash). Additionally, a folder called Modules is created with encrypted DLLs and configuration, responsible for injection and gathering of system information, such as installed software, running services and processes, and much more.

 

 

Interestingly, it appears that the authors behind TrickBot deliver custom modules or payloads for specific targets. For example, a reference in the same decrypted DLL sets a specific configuration block, with additional references to ‘client work’.

This may suggest the TrickBot authors are also available ‘for hire’ by other cybercriminals or criminal affiliations.

Besides injecting DLLs into browser processes such as Internet Explorer or Mozilla Firefox and others. It also performs a technique known as process hollowing into a newly started svchost.exe process, and does this two times, resulting in two svchost.exe processes running as a child of the original binary.

Should a child or the parent process be killed, it will immediately be restarted, this due to the creation of a scheduled task, inconspicuously named as ‘ServiceTask’.

 

TrickBot’s configuration file shows an impressive number of targeted banks in a variety of regions, such as the UK, Australia and New Zealand, as well as banks in China and Singapore. This shows the TrickBot authors like to perform opportunistic targeting, harvesting as many credentials as possible. We expect the TrickBot authors to increase their targeting of banks and more specifically Western banks, using the flexible method of a configuration file to provide the web injects.

Indicator Type
4be3286c57630fb81e079c1aa3bf3203 Hash
fe2d9595a96046e441e43f72deac8cb0 Hash
5a137c1dd4a55c06531bdbfeaf15c894 Hash
8bf6ee81794c965f38484c0570718971 Hash
9d166a822439a47eb2dfad1aeb823638 Hash
6e714a44051f74ee2f8f570ea1a6b2b9 Hash
44964db9c3ad8bea0d0d43340c4b0a3a Hash
45160aa23d640f8d1bcb263c179f84f9 Hash
e8fcae05cfb72b109db17fe69c292758 Hash
c4acef1322b335d6b6f7a924d9af4ad6 Hash
440d284b8c4b85f806b113507dc55004 Hash
6135d0ef033e82c6756cbc11416c9f6c Hash
1bc7517f20b7b3e9d67c776f5e1bf7df Hash
68e762001faa31193081279ccfb01c19 Hash
ef393133f39f20f7cc685d0cc59b0f5e Hash
3f8fe650b06cb4b869fb7c4486ff0403 Hash
998718d01e49f4ac30210092d17ef4dc Hash
2bd1db2f8f10f32998c4a23a41286073 Hash
2440448d00f0a2edfa321a2784c32775 Hash
5e6795e64b3ea622799acad4d51ffbab Hash
dcd0e73b264427269c262d6dc070570ce76c56faaf5ccfcebc0ae79b4e32130d Hash
06690d06c356d91673510e083b5d6e1d1ae2bef1b5b77e88b10388d7527fbde2 Hash
2c8c58a6ac929cd4e2b65c3982d57a255504764c4986d8a107272516787e5e44 Hash
c19ed0c625bc88aa076bb8b2da5c52e215eeac42caf835371d010a4ce64e90c8 Hash
4d36a7c86db693718ec71c33fc66f7444f541c5e193422b2a8dc38855558aa9c Hash
f1f15bc285256f1958da74419fd596952b3a166dd6174bd6835e2af76fac637e Hash
be9d8f31e9dfaab5c2d22a1399e92d6ab41678d2b0c1c9fa2937c6d40bcc1158 Hash
10e93082a97d64e3215c9338142cfbd3bc95c533c5cb5aa7e0b7a7f4ec1b3ef7 Hash
67a3dedd64c18a8b50f673638af4ab678d0974e952692a237a57eb5e7cc47cf7 Hash
473fdeb2b568751d762ffe64287ed5035c6e7ea8fa6e1aba22518f480827ab95 Hash
c7a3123a5cff9c78e2fd926c6800a6c6431c8bca486ce11319a9a8f6fa83945c Hash
f095c730442b5d72e0c234bc66c7d23e32e04d53018606b6cdc5e13c51451a6f Hash
8f31c2f384cf7aecd7cef93f2c793233ce10104a09a3a438e5efb7e5a575277c Hash
c8577ae514d60239b81a37396f85fb1ab661efae37b6b511e83ac239a2cbbd06 Hash
79b772476c8d5dc09bbbc615408a33cfc70eb0c49a268c25932c1f4fdcb940ff Hash
ae5d6b400ec4ca773d19d689ca3a3d328a1604242c0146d76110d79892529243 Hash
f70b800fe6145186c7f4763536959eeb8efa804395cca25d1cf07f4d46a11795 Hash
eca44266bbaeb69286b0edbbe2f9cea6ca0633077044990c7d660c03058fbaa5 Hash
2f38a85818f2e4a97995027349798e81f588634b280d11e217b1387ae1cb91a5 Hash
85528e675dd0ebbc4dca36d501268f5fc3b35c8cc6fe7648aa62530f032ec3a9 Hash
103.198.130.148 IP address
103.58.144.249 IP address
115.186.139.104 IP address
138.186.22.2 IP address
168.194.80.70 IP address
176.121.213.31 IP address
177.104.69.130 IP address
177.231.253.158 IP address
177.87.233.4 IP address
184.160.113.13 IP address
185.158.175.95 IP address
185.27.219.173 IP address
185.47.136.111 IP address
185.8.0.182 IP address
186.208.102.185 IP address
186.208.106.234 IP address
186.208.111.188 IP address
188.255.156.67 IP address
188.255.249.27 IP address
190.2.235.246 IP address
196.11.84.62 IP address
200.116.206.58 IP address
217.31.110.43 IP address
36.66.107.162 IP address
37.61.239.216 IP address
49.156.45.139 IP address
5.172.33.237 IP address
5.172.34.138 IP address
82.146.94.150 IP address
82.146.94.86 IP address
84.42.159.138 IP address
95.104.2.225 IP address
96.9.69.131 IP address

Conclusion

TrickBot appears to be in continuous development by simultaneously providing more options to its modular malware, as well as extending the list of targeted banks. While TrickBot is not nearly as much used as other known banking trojans, PwC analysts predict a considerate uptick of this malware in the coming months. We continue to monitor this particular banking trojan. 

Contact us

Bart Parys

Threat Intelligence Analyst, PwC United Kingdom

Follow us