Research by: Aliaksandr Trafimchuk, Raman Ladutska

This research comes as a follow-up to our previous article on Trickbot,  “When Old Friends Meet Again: Why Emotet Chose Trickbot For Rebirth” where we provided an overview of the Trickbot infrastructure after its takedown. Check Point Research (CPR) now sheds some light on the technical details of key Trickbot modules.

Trickbot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand. Such modules allow the execution of all kinds of malicious activities and pose great danger to the customers of 60 high-profile financial (including cryptocurrency) and technology companies, mainly located in the United States. For a full list of the targeted companies, see the Appendix. These brands are not the victims but their customers might be the targets.

^{Figure 1 – Several companies whose customers are targeted by Trickbot}

We previously discussed the de-centralized and effective Trickbot infrastructure, and now we see that the malware is very selective in how it chooses its targets. Various tricks – including anti-analysis – implemented inside the modules show the authors’ highly technical background and explain why Trickbot remains a very prevalent malware family.

Below is a heat-map with the percentage of organizations that were affected by Trickbot in each country in 2021:

 

^{Figure 2 – Percentage of impacted organizations by Trickbot (the darker the color – the higher the impact)}

Below is a table that shows the percentage of organizations affected by Trickbot in each region:

Region	Organizations affected	Percentage
World	1 of every 45	2.2%
APAC	1 of every 30	3.3%
Latin America	1 of every 47	2.1%
Europe	1 of every 54	1.9%
Africa	1 of every 57	1.8%
North America	1 of every 69	1.4%

There is a lot of attention currently going to the possible detention of TrickBot gang members. This investigation may have long-term consequences for malware operators. We have decided to approach this issue differently: from the history of rise and fall of different malware operations, we know that although malware may become inactive, its technical aspects are often re-used in other successors.

We explore the technical details of key TrickBot modules and explain how they operate. No matter what awaits TrickBot botnet, the thorough efforts put into the development of sophisticated TrickBot code will likely not be lost and the code would find its usage in the future.

In this article, we focus on the three key modules below and describe Trickbot’s anti-analysis techniques:

• injectDll
• tabDll
• pwgrabc

injectDll: web-injects module

Web-injects cause a lot of harm to victims because such modules steal banking and credential data and could cause great financial damage via wire transfers. Add Trickbot’s cherry-picking of victims, and the menace becomes even more dangerous.

The injectDll module performs browser data injection, including JavaScript which targets customers of 60 high-profile companies in the financial (including cryptocurrency) and technology spheres.

Not only does this module target high-profile organizations, it also features several anti-analysis techniques which we describe below.Before the takedown in October 2020, the injectDll module had a configuration built from two config types “sinj” and “dinj” (located at the end of the module):

^{Figure 3 – Configuration of the injectDLL module in 2020}

Now web-injects come with the “winj” config from C2:

^{Figure 4 – Configuration of the injectDLL module in 2021}

And they may look like this:

^{Figure 5 – Web-inject from the injectDLL module}

We can recognize a well-known web-injects format from Zeus (https://www.malware.unam.mx/en/content/zeus-analysis-configuration-file-attacked-banking-internet). The payload which is injected to the page is minified (making the code size smaller makes the code unreadable), obfuscated, and contains anti-deobfuscation techniques. These techniques are based on JavaScript function string representation and its comparison with a hardcoded Regular Expression which should match the obfuscated function code. If the representation of the function doesn’t match the browser, the tab process crashes (we describe the technique later in this article).

If all the checks passed successfully, the script constructs the URL of the second stage web-inject, in this case:

https://myca.adprimblox.fun/E4BFFED4E95C646B0EB2072FB593CA3D/dmaomzs1e5cl/6vpixf7ug8h5sli7gqwj/jquery-3.5.1.min.js

This URL is built from %BOTID%, and two decoded constants. The C2 server strictly checks that the URL must end with “6vpixf7ug8h5sli7gqwj/jquery-3.5.1.min.js”. If the client tries to access any non-existent endpoint, the C2 server blocks network packets of the researcher’s external IP for a period of time.

The name of the script disguises itself as a well-known legitimate JavaScript jQuery library. The “second” stage web-inject is heavier than the first stage and is only loaded from the targeted page (for example, Amazon or some banking’s page) so as not to reveal the C2 servers. Its payload is also minified and obfuscated, contains a few layers of anti-deobfuscation techniques, and contains the code which grabs the victim’s keystrokes and web form submit actions.

The “second” stage of the web-inject, which targets a legitimate “https://sellercentral.amazon.com/ap/signin” site, collects information from the login action and saves the “ap_email” and “ap_password” fields for a C2 payload. The payload is sent to another C2 server, which is decrypted (as other strings in the script) using RC4:

https://akama.pocanomics.com/ws/v2/batch

^{Figure 6 – Example of the prepared payloads}

The assembled HTTP request’s payload looks like this:

m=login&[email protected]&pass=pass&b=E4BFFED4E95C646B0EB2072FB593CA3C&q=sipdialm&v=8may&w=1

Where the “login” and “pass” fields hold captured credentials, the “b” field holds %BOT_ID%, and the “v” (and probably “w”) field is the version. (Note – we are not sure about the purpose of these fields.)

This payload is then encrypted using XOR with an “ahejHKuD5H83UpkQgJK” key. The pseudocode of the payload encryption algorithm is shown below:

let to_send = b64encode(xor_with(unescape(encodeURIComponent(payload)), ‘ahejHKuD5H83UpkQgJK’));

Anti-Deobfuscation technique

Usually a researcher tries to analyze minified and obfuscated JavaScript code using tools like JavaScript Beautifiers, deobfuscators like de4js, and so on.

After we applied these tools, we noticed that although the code became more readable, it also stopped working.

In the screenshot below, we’ve marked two places in red. The first one is a function which is very simple and performs “return ‘newState’. The second red mark expects the function to be obfuscated.

^{Figure 7 – Anti-deobfuscation tricks in the code}

Here is the deobfuscated function representation (this means after calling the .toString() function):

^{Figure 8 – Deobfuscated function}

And here is how it must look to pass the anti-deobfuscation trick:

^{Figure 9 – Obfuscated function}

Anti-Analysis Technique

Another anti-analysis technique we encountered is one that prevents a researcher from sending automated requests to Command-and-Control servers to get fresh web-injects. If there is no “Referer” header in the request, the server will not answer with a valid web-inject. Here is an example of a valid request:

^{Figure 10 – Example of a successful request to a Command-and-Control server from the injectDLL module}

The response looks like the one shown below:

^{Figure 11 – Response received from a Command-and-Control server of the injectDLL module}

tabDLL module

The purpose of this DLL is to grab the user’s credentials and spread the malware via network share. It grabs credentials in 5 steps:

1. Enables storing user credential information in the LSASS application.
2. Injects the “Locker” module into the “explorer.exe” application.
3. From the infected “explorer.exe”, forces the user to enter login credentials to the application and then locks the user’s session.
4. The credentials are now stored in the LSASS application memory.
5. Grabs the credentials from the LSASS application memory using the mimikatz technique.

The credentials are then reported to C2. Lastly, it uses the EternalRomance exploit to spread via the SMBv1 network share.

These steps are summarized in the diagram below:

 

^{Figure 12 – Steps to grab a user’s credentials as executed by the “tabDll” module}

The obfuscation level decreased when a botnet operator used a random key for string encryption algorithm. We encountered such a case with a low obfuscation level when the string “GetCurrentProcess” became easily readable:

^{Figure 13 – Low level of obfuscation}

Another example below:

^{Figure 14 – No key is used for the obfuscation}

In this case, no key is used for decryption. However, these cases remain rare throughout the modules and samples.

pwgrabc module

The pwgrabc is a credential stealer for various applications. This is the full list of targeted applications:

• Chrome
• ChromeBeta
• Edge
• EdgeBeta
• Firefox
• Internet Explorer
• Outlook
• Filezilla
• WinSCP
• VNC
• RDP
• Putty,
• TeamViewer
• Precious
• Git
• OpenVPN
• OpenSSH
• KeePass
• AnyConnect
• RDCMan

Conclusion

Based on our technical analysis, we can see that Trickbot authors have the skills to approach the malware development from a very low level and pay attention to small details. Trickbot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause greater damage.

Meanwhile, from our previous research, we know that the operators behind the infrastructure are very experienced with malware development on a high level as well.

The combination of these two factors has already led to more than 140,000 infected victims after the takedown, several 1^st place rankings in top malware prevalence lists, and collaboration with Emotet – all within a year.

Trickbot remains a dangerous threat that we will continue to monitor, along with other malware families.

 

Check Point Protections

Check Point Provides Zero-Day Protection across Its Network, Cloud, Users and Access Security Solutions. Whether you’re in the cloud, the data center, or both, Check Point’s Network Security solutions simplify your security without impacting network performance, provide a unified approach for streamlined operations, and enable you to scale for continued business growth. Quantum provides the best zero-day protection while reducing security overhead. 

Check Point Harmony Network Protections:

Trojan-Banker.Win32.TrickBot

Threat Emulation protections:

Banker.Win32.Trickbot.TC

Trickbot.TC

Botnet.Win32.Emotet.TC.*

Emotet.TC.*

TS_Worm.Win32.Emotet.TC.*

Trojan.Win32.Emotet.TC.*

 

Appendix – The list of targeted companies (via web-injects)

Company	Field
Amazon	E-commerce
AmericanExpress	Credit Card Service
AmeriTrade	Financial Services
AOL	Online service provider
Associated Banc-Corp	Bank Holding
BancorpSouth	Bank
Bank of Montreal	Investment Banking
Barclays Bank Delaware	Bank
Blockchain.com	Cryptocurrency Financial Services
Canadian Imperial Bank of Commerce	Financial Services
Capital One	Bank Holding
Card Center Direct	Digital Banking
Centennial Bank	Bank Holding
Chase	Consumer Banking
Citi	Financial Services
Citibank	Digital Banking
Citizens Financial Group	Bank
Coamerica	Financial Services
Columbia Bank	Bank
Desjardins Group	Financial Services
E-Trade	Financial Services
Fidelity	Financial Services
Fifth Third	Bank
FundsXpress	IT Service Management
Google	Technology
GoToMyCard	Financial Services
HawaiiUSA Federal Credit Union	Credit Union
Huntington Bancshares	Bank Holding
Huntington Bank	Bank Holding
Interactive Brokers	Financial Services
JPMorgan Chase	Investment Banking
KeyBank	Bank
LexisNexis	Data mining
M&T Bank	Bank
Microsoft	Technology
Navy Federal	Credit Union
paypal	Financial Technology
PNC Bank	Bank
RBC Bank	Bank
Robinhood	Stock Trading
Royal Bank of Canada	Financial Services
Schwab	Financial Services
Scotiabank Canada	Bank
SunTrust Bank	Bank Holding
Synchrony	Financial Services
Synovus	Financial Services
T. Rowe Price	Investment Management
TD Bank	Bank
TD Commercial Banking	Financial Services
TIAA	Insurance
Truist Financial	Bank Holding
U.S. Bancorp	Bank Holding
UnionBank	Commercial Banking
USAA	Financial Services
Vanguard	Investment Management
Wells Fargo	Financial Services
Yahoo	Technology
ZoomInfo	Software as a service

IOCs

myca.adprimblox.fun
akama.pocanomics.com
524A79E37F6B02741A7B6A429EBC2E33306068BDC55A00222B6C162F396E2736