The ISH Threat Intelligence team detected an ongoing phishing campaign using Trickbot, a sophisticated Trojan first identified in 2016 and constantly updated. Trickbot is used to steal information from individuals and companies, and to download payloads of other malware families, including Emotet (banking Trojan), Ryuk and Conti (ransomware).

Trickbot infection involves several steps. This analysis started from an Excel with malicious macros, which can be employed in spam, phishing and spear phishing campaigns.

In this post, you will understand how to mitigate risks related to this scam that has already stolen the data of about 500,000 people.

Malicious document

The initial access analysed by ISH is through a spreadsheet with XLM macros. These are Excel 4.0 macros, which still work in modern versions of Office. Groups of cybercriminals have employed this type of malicious routine with great effectiveness, since this type of code offers greater difficulty of analysis than malicious routines written in VBA (language used by macros in modern versions of the office suite). The following image shows the XLM macro unmasked:

The routine in question downloads a PE from the URL http://shatteredglass.io/uo/date.php (already taken offline by the malware authors) and saves it as a DLL named Hole.fisk. Then the native Windows executable rundll32.exe is used to execute the payload, from its StartW function.

Malicious DLL

Since the URL used by the malicious document has already been taken offline, we turned to malware repositories to obtain a copy of the DLL downloaded by the above macros.

As shown above, the executable in question has the ability to take screenshots of the target machine, log keyboard inputs(keylogger), hook other processes, and perform file operations. This sample has packing; to circumvent it, a dynamic analysis was performed from a memory dump .

Command:

%s\ShellNew

%s\DefaultIcon

%s\shellprintto%s

%s\shellprint%%%s

%s\shellopen%%s

The above commands, extracted after unpacking, demonstrate the reverse shell functionality. It is inferred that the print and printto commands are used to obtain screenshots of the target station, while the open command demonstrates one of the available filesystem operations. It can be assumed with good confidence that the Reverse Shell is one of the means used to download additional payloads, such as the aforementioned Emotet, Ryuk and Conti. It is important to note that the above strings exist only in memory, so employing them as indicators of compromise related to malicious dll on disk is useless.

TrickBot executable

Finally, we obtained a sample of the Trickbot executable itself. A cursory analysis of the file on disk reveals the same functionality as the dll detailed above:

As with the malicious dll, this PE was run on a virtual machine to enable dynamic analysis via memory dump. After execution, the malware creates an instance of the legitimate Windows Error Manager process, wermgr.exe, where it injects its code. The target process then contacts the Trickbot command and control (C2) server IPs.

108.170.20.72:443 ESTABLISHED 2912 wermgr.exe

Dynamic analysis provided the following target addresses:

187.19.200.154 108.170.20.72 186.195.199.238 102.164.211.138 182.48.66.106 190.152.71.230 167.179.194.205 221.176.88.201 103.119.117.42 179.60.243.52 177.47.88.62

103.84.164.87 111.235.66.83 182.48.66.106 37.235.230.123 117.212.193.62 178.54.230.164 103.146.2.152 177.47.88.62 179.208.174.246 ipecho.net 173.81.4.147

It is also noted that information is sent from the infected machine via HTTP GET to the command centres, as shown below:

The IP address beginning with 179 is the public IP of the infected asset, JOHN is the user name and Windows 8.1×64 is the version of the operating system present on the machine.

Disclaimers

This analysis was performed individually on artifacts that make up the Trickbot infection chain. For that reason, no evidence of interaction between infection components was recovered. Also, it is important to remember that Trickbot is malware that offers several functionalities to its controllers. Since the memory dump of the virtual machine was performed right after the virus execution, there was no interaction of the drivers and therefore no evidence of file exfiltration or contamination by other malware families was collected.

Suggestions

The infection model discussed here was by a malicious document that employs macros from Excel 4.0. In addition to the recommendations in this document below, we recommend disabling these legacy macros in Office 365. This can be done via GPO. More information on how to make a GPO can be found in this link here.

Ask your Microsoft Specialist to review and adapt the reference information presented in this link according to your environment.

Since Trickbot employs wermgr.exe to interact with its C2 addresses, it is recommended to inspect the behaviour of this application by the IPs provided in the IoC list below. Finally, remember again that the strings with the reverse shell commands exist only in memory. Thus, it only makes sense to employ them as pointers in cases of memory forensics analysis.

Commitment Indicators (IOC)

MALICIOUS EXCEL

##SHA1 fcf07b3697603dfb5a42a74c998e0f192d6476e0

##SHA256 abc84402e839a361039e545f5d11714d546610facd0a2ff1bd02e4e90dcc75c3

http://shatteredglass.io/uo/date.php

DLL TRICKBOT

##SHA1 b92b8d32e7045d5fab7a328ef2bf5d994266b672

##SHA256 9097b0addfbac3065c0500e637ad4828600ece935a114066a948a373d9509c8a

##STRINGS (MEMORY ONLY)

SoftwareMicrosoft\Windows\CurrentVersion\Policies\Comdlg32

SoftwareMicrosoft\Windows\CurrentVersion\Policies\Network

SoftwareMicrosoft\Windows\CurrentVersion\Policies\Explorer

command

%s\ShellNew

%s\DefaultIcon

%shellprintto%s

%shellprint%s

%s\shellopen%s

TRICKBOT EXECUTE (.exe)

##SHA1 6d0f56c5dd2a3ee7b2ca81f0f04974b8062a0aca

##SHA256 a85830e2ae2702929bd6135e48517be59fb72396af8a19c16311f5fe0c27a509

##ADDRESSES REACHED:

187.19.200.154

108.170.20.72

186.195.199.238

102.164.211.138

182.48.66.106

190.152.71.230

167.179.194.205

221.176.88.201

103.119.117.42

179.60.243.52

177.47.88.62

103.84.164.87

111.235.66.83

182.48.66.106

37.235.230.123

117.212.193.62

178.54.230.164

103.146.2.152

177.47.88.62

179.208.174.246

ipecho.net

173.81.4.147

Detection

IDS/IPS signatures

Based on the development of CISA, below are the SNORT signature recommended by that institution for use in the detection of network events associated with the TrickBot activity. We recommend that your IDS/IPS expert analyse and adapt according to the technical and security issues of your environment.

alert tcp any [443,447] -> any any (msg: "TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'example.com' (Hex)"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:"|0b|example.com"; fast_pattern:only; content: "Global Security"; content: "IT Department"; pcre:"/(?:\x09\x00\xc0\xb9\x3b\x93\x72\xxa3\xf6\xd2|\x00\xe2\x08\xff\xfb\x7b\x53\
x76\x3d)/"; classtype:bad-unknown; metadata:service ssl,service and-ports;)

alert tcp any any -> any $HTTP_PORTS (msg:"TRICKBOT_ANCHOR:HTTP URI GET contains '/anchor'"; sid:1; rev:1; flow:established,to_server; content:"/anchor"; http_uri; fast_pattern:only; content:"GET"; nocase; http_method; pcre:"/^\/anchor_?.{3}\/[\w_-]+\.[A-F0-9]+\/?$/U"; classtype:bad-unknown; priority:1; metadata:service http;)

alert tcp any $SSL_PORTS -> any any (msg: "TRICKBOT:SSL/TLS Server X.509 Cert Field contains 'C=XX, L=Default City, O=Default Company Ltd'"; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:"|31 0b 30 09 06 03 55 04 06 13 02|XX"; nocase; content:"|31 15 30 13 06 03 55 04 07 13 0c|Default City"; nocase; content:"|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd"; nocase; content:!"|31 0c 30 0a 06 03 55 04 03|"; classtype:bad-unknown; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b
7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)

alert tcp any any -> any $HTTP_PORTS (msg: "TRICKBOT:HTTP Client Header contains 'boundary=Arasfjasu7'"; sid:1; rev:1; flow:established,to_server; content: "boundary=Arasfjasu7|0d 0a|"; http_header; content: "name=|22|proclist|22|"; http_header; content:!"Referer"; content:!"Accept"; content: "POST"; http_method; classtype:bad-unknown; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:"TRICKBOT:HTTP Client Header contains 'User-Agent|3a 20|WinHTTP loader/1.'"; sid:1; rev:1; flow:established,to_server; content:"User-Agent|3a 20|WinHTTP loader/1."; http_header; fast_pattern:only; content:".png|20|HTTP/1."; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{2,5})?$/mH"; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; classtype:bad-unknown; metadata:service http;)

alert tcp any $HTTP_PORTS -> any any (msg: "TRICKBOT:HTTP Server Header contains 'Server|3a 20|Cowboy'"; sid:1; rev:1; flow:established,from_server; content:"200"; http_stat_code; content: "Server|3a 20|Cowboy|0d 0a|"; http_header; fast_pattern; content: "content-length|3a 20|3|0d 0a|"; http_header; file_data; content:"/1/"; depth:3; isdataat:!1,relative; classtype:bad-unknown; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg:"TRICKBOT:HTTP URI POST contains C2 Exfil"; sid:1; rev:1; flow:established,to_server; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=------Boundary"; http_header; fast_pattern; content:"User-Agent|3a 20|"; http_header; distance:0; content:"Content-Length|3a 20|"; http_header; distance:0; content:"POST"; http_method; pcre:"/^\/[a-z]{3}\d{3}\/.+?\.[A-F0-9]{32}\/\d{1,3}\//U"; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}$/mH"; content:!"Referer|3a|"; http_header; classtype:bad-unknown; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP URI GET/POST contains '/56evcxv' (Trickbot)"; sid:1; rev:1; flow:established,to_server; content:"/56evcxv"; http_uri; fast_pattern:only; classtype:bad-unknown; metadata:service http;)

alert icmp any any -> any any (msg: "TRICKBOT_ICMP_ANCHOR:ICMP traffic conatins 'hanc'"; sid:1; rev:1; itype:8; content: "hanc"; offset:4; fast_pattern; classtype:bad-unknown;)

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP Client Header contains POST with 'host|3a 20|*.onion.link' and 'data=' (Trickbot/Princess Ransomeware)"; sid:1; rev:1; flow:established,to_server; content: "POST"; nocase; http_method; content: "host|3a 20|"; http_header; content:".onion.link"; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content: "data="; distance:0; within:5; classtype:bad-unknown; metadata:service http;)

alert tcp any any -> any $HTTP_PORTS (msg: "HTTP Client Header contains 'host|3a 20|tpsci.com' (trickbot)"; sid:1; rev:1; flow:established,to_server; content: "host|3a 20|tpsci.com"; http_header; fast_pattern:only; classtype:bad-unknown; metadata:service http;)

Practical recommendations for mitigation

Raising maturity and security posture

As recommended by CISA, to strengthen the security posture of your organisations' systems you can implement the recommendations below:

Note: System owners and administrators should review all configuration changes prior to implementation to avoid negative impacts.

• Provide social engineering and phishing training to employees;
• Consider drafting or updating a policy dealing with suspicious emails that specifies that users must report all suspicious emails to security and/or IT departments;
• Mark external emails with a banner indicating that the email is from an external source to help users detect spoofed emails. This can be done in your anti-spam solution for example;
• Implement a formalised anti-virus programme and patch management process;
• Implement filters on the email gateway and block suspicious IP addresses in the firewall;
• Follow the principle of least privilege - it is not recommended that users are administrators of their corporate devices;
• Implement a domain-based message authentication, reporting and compliance validation system;
• Segmenting and segregating networks and functions - access management:
• Limit unnecessary side communications between workstations, threads and other network devices;
• Consider the use of application whitelisting technology across all assets to ensure that only authorized software runs and that all unauthorized software is blocked from running on the assets. Ensure that this technology only allows authorised and digitally signed scripts to run on a system;
• Deploy a multi-factor authentication technology;
• Enable a firewall on workstations configured to deny unsolicited connection requests;
• Disable unnecessary services on workstations and servers;
• Implement an intrusion detection system, if not already in use, to detect known malicious activity and other potentially malicious network activity;
• Monitor web traffic. Restrict user access to suspicious or risky websites;
• Maintain situational awareness of the latest threats and implement appropriate access control lists;
• Disable the use of SMBv1 on the network and require at least SMBv2 (SMBv3 strongly recommended) to protect systems against the network propagation modules used by TrickBot.

Final recommendations

Finally, keep an eye out for suspicious domains and IP addresses in logs of tools such as Firewall and Web Filter, since this attack uses legitimate processes to reach the command server(command & control), it is not enough to inspect only the traffic of applications you deem suspicious.

Policies of conscious use of corporate assets as well as monitoring the use of corporate resources and the use of references to these actions in the Information Security Policy are ways with comprehensive effectiveness in cases similar to this one.

Implementation ofUser and Entity BehaviorAnalytics (UEBA) solutions can compound your security solutions with important results by analyzing anomalous behavior in your environment.

By Paulo Trindade and Alexandre Siviero