A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies

February 16, 2022

Research by: Aliaksandr Trafimchuk, Raman Ladutska

This research comes as a follow-up to our previous article on Trickbot,  “When Old Friends Meet Again: Why Emotet Chose Trickbot For Rebirth” where we provided an overview of the Trickbot infrastructure after its takedown. Check Point Research (CPR) now sheds some light on the technical details of key Trickbot modules.

Trickbot is a sophisticated and versatile malware with more than 20 modules that can be downloaded and executed on demand. Such modules allow the execution of all kinds of malicious activities and pose great danger to the customers of 60 high-profile financial (including cryptocurrency) and technology companies, mainly located in the United States. For a full list of the targeted companies, see the Appendix. These brands are not the victims but their customers might be the targets.

Figure 1 – Several companies whose customers are targeted by Trickbot

We previously discussed the de-centralized and effective Trickbot infrastructure, and now we see that the malware is very selective in how it chooses its targets. Various tricks – including anti-analysis – implemented inside the modules show the authors’ highly technical background and explain why Trickbot remains a very prevalent malware family.

Below is a heat-map with the percentage of organizations that were affected by Trickbot in each country in 2021:

 

Figure 2 – Percentage of impacted organizations by Trickbot (the darker the color – the higher the impact)

Below is a table that shows the percentage of organizations affected by Trickbot in each region:

Region Organizations affected Percentage
World 1 of every 45 2.2%
APAC 1 of every 30 3.3%
Latin America 1 of every 47 2.1%
Europe 1 of every 54 1.9%
Africa 1 of every 57 1.8%
North America 1 of every 69 1.4%

There is a lot of attention currently going to the possible detention of TrickBot gang members. This investigation may have long-term consequences for malware operators. We have decided to approach this issue differently: from the history of rise and fall of different malware operations, we know that although malware may become inactive, its technical aspects are often re-used in other successors.

We explore the technical details of key TrickBot modules and explain how they operate. No matter what awaits TrickBot botnet, the thorough efforts put into the development of sophisticated TrickBot code will likely not be lost and the code would find its usage in the future.

In this article, we focus on the three key modules below and describe Trickbot’s anti-analysis techniques:

  • injectDll
  • tabDll
  • pwgrabc

injectDll: web-injects module

Web-injects cause a lot of harm to victims because such modules steal banking and credential data and could cause great financial damage via wire transfers. Add Trickbot’s cherry-picking of victims, and the menace becomes even more dangerous.

The injectDll module performs browser data injection, including JavaScript which targets customers of 60 high-profile companies in the financial (including cryptocurrency) and technology spheres.

Not only does this module target high-profile organizations, it also features several anti-analysis techniques which we describe below.Before the takedown in October 2020, the injectDll module had a configuration built from two config types “sinj” and “dinj” (located at the end of the module):

Figure 3 – Configuration of the injectDLL module in 2020

Now web-injects come with the “winj” config from C2:

Figure 4 – Configuration of the injectDLL module in 2021

And they may look like this:

Figure 5 – Web-inject from the injectDLL module

We can recognize a well-known web-injects format from Zeus (https://www.malware.unam.mx/en/content/zeus-analysis-configuration-file-attacked-banking-internet). The payload which is injected to the page is minified (making the code size smaller makes the code unreadable), obfuscated, and contains anti-deobfuscation techniques. These techniques are based on JavaScript function string representation and its comparison with a hardcoded Regular Expression which should match the obfuscated function code. If the representation of the function doesn’t match the browser, the tab process crashes (we describe the technique later in this article).

If all the checks passed successfully, the script constructs the URL of the second stage web-inject, in this case:

https://myca.adprimblox.fun/E4BFFED4E95C646B0EB2072FB593CA3D/dmaomzs1e5cl/6vpixf7ug8h5sli7gqwj/jquery-3.5.1.min.js

This URL is built from %BOTID%, and two decoded constants. The C2 server strictly checks that the URL must end with “6vpixf7ug8h5sli7gqwj/jquery-3.5.1.min.js”. If the client tries to access any non-existent endpoint, the C2 server blocks network packets of the researcher’s external IP for a period of time.

The name of the script disguises itself as a well-known legitimate JavaScript jQuery library. The “second” stage web-inject is heavier than the first stage and is only loaded from the targeted page (for example, Amazon or some banking’s page) so as not to reveal the C2 servers. Its payload is also minified and obfuscated, contains a few layers of anti-deobfuscation techniques, and contains the code which grabs the victim’s keystrokes and web form submit actions.

The “second” stage of the web-inject, which targets a legitimate “https://sellercentral.amazon.com/ap/signin” site, collects information from the login action and saves the “ap_email” and “ap_password” fields for a C2 payload. The payload is sent to another C2 server, which is decrypted (as other strings in the script) using RC4:

https://akama.pocanomics.com/ws/v2/batch

Figure 6 – Example of the prepared payloads

The assembled HTTP request’s payload looks like this:

m=login&[email protected]&pass=pass&b=E4BFFED4E95C646B0EB2072FB593CA3C&q=sipdialm&v=8may&w=1

Where the “login” and “pass” fields hold captured credentials, the “b” field holds %BOT_ID%, and the “v” (and probably “w”) field is the version. (Note – we are not sure about the purpose of these fields.)

This payload is then encrypted using XOR with an “ahejHKuD5H83UpkQgJK” key. The pseudocode of the payload encryption algorithm is shown below:

let to_send = b64encode(xor_with(unescape(encodeURIComponent(payload)), ‘ahejHKuD5H83UpkQgJK’));

Anti-Deobfuscation technique

Usually a researcher tries to analyze minified and obfuscated JavaScript code using tools like JavaScript Beautifiers, deobfuscators like de4js, and so on.

After we applied these tools, we noticed that although the code became more readable, it also stopped working.

In the screenshot below, we’ve marked two places in red. The first one is a function which is very simple and performs “return ‘newState’. The second red mark expects the function to be obfuscated.

Figure 7 – Anti-deobfuscation tricks in the code

Here is the deobfuscated function representation (this means after calling the .toString() function):

Figure 8 – Deobfuscated function

And here is how it must look to pass the anti-deobfuscation trick:

Figure 9 – Obfuscated function

Anti-Analysis Technique

Another anti-analysis technique we encountered is one that prevents a researcher from sending automated requests to Command-and-Control servers to get fresh web-injects. If there is no “Referer” header in the request, the server will not answer with a valid web-inject. Here is an example of a valid request:

Figure 10 – Example of a successful request to a Command-and-Control server from the injectDLL module

The response looks like the one shown below:

Figure 11 – Response received from a Command-and-Control server of the injectDLL module

tabDLL module

The purpose of this DLL is to grab the user’s credentials and spread the malware via network share. It grabs credentials in 5 steps:

  1. Enables storing user credential information in the LSASS application.
  2. Injects the “Locker” module into the “explorer.exe” application.
  3. From the infected “explorer.exe”, forces the user to enter login credentials to the application and then locks the user’s session.
  4. The credentials are now stored in the LSASS application memory.
  5. Grabs the credentials from the LSASS application memory using the mimikatz technique.

The credentials are then reported to C2. Lastly, it uses the EternalRomance exploit to spread via the SMBv1 network share.

These steps are summarized in the diagram below:

 

Figure 12 – Steps to grab a user’s credentials as executed by the “tabDll” module

The obfuscation level decreased when a botnet operator used a random key for string encryption algorithm. We encountered such a case with a low obfuscation level when the string “GetCurrentProcess” became easily readable:

Figure 13 – Low level of obfuscation

Another example below:

Figure 14 – No key is used for the obfuscation

In this case, no key is used for decryption. However, these cases remain rare throughout the modules and samples.

pwgrabc module

The pwgrabc is a credential stealer for various applications. This is the full list of targeted applications:

  • Chrome
  • ChromeBeta
  • Edge
  • EdgeBeta
  • Firefox
  • Internet Explorer
  • Outlook
  • Filezilla
  • WinSCP
  • VNC
  • RDP
  • Putty,
  • TeamViewer
  • Precious
  • Git
  • OpenVPN
  • OpenSSH
  • KeePass
  • AnyConnect
  • RDCMan

Conclusion

Based on our technical analysis, we can see that Trickbot authors have the skills to approach the malware development from a very low level and pay attention to small details. Trickbot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause greater damage.

Meanwhile, from our previous research, we know that the operators behind the infrastructure are very experienced with malware development on a high level as well.

The combination of these two factors has already led to more than 140,000 infected victims after the takedown, several 1st place rankings in top malware prevalence lists, and collaboration with Emotet – all within a year.

Trickbot remains a dangerous threat that we will continue to monitor, along with other malware families.

 

Check Point Protections

Check Point Provides Zero-Day Protection across Its Network, Cloud, Users and Access Security Solutions. Whether you’re in the cloud, the data center, or both, Check Point’s Network Security solutions simplify your security without impacting network performance, provide a unified approach for streamlined operations, and enable you to scale for continued business growth. Quantum provides the best zero-day protection while reducing security overhead. 

Check Point Harmony Network Protections:

Trojan-Banker.Win32.TrickBot

Threat Emulation protections:

Banker.Win32.Trickbot.TC
Trickbot.TC
Botnet.Win32.Emotet.TC.*
Emotet.TC.*
TS_Worm.Win32.Emotet.TC.*
Trojan.Win32.Emotet.TC.*

 

Appendix – The list of targeted companies (via web-injects)

Company Field
Amazon E-commerce
AmericanExpress Credit Card Service
AmeriTrade Financial Services
AOL Online service provider
Associated Banc-Corp Bank Holding
BancorpSouth Bank
Bank of Montreal Investment Banking
Barclays Bank Delaware Bank
Blockchain.com Cryptocurrency Financial Services
Canadian Imperial Bank of Commerce Financial Services
Capital One Bank Holding
Card Center Direct Digital Banking
Centennial Bank Bank Holding
Chase Consumer Banking
Citi Financial Services
Citibank Digital Banking
Citizens Financial Group Bank
Coamerica Financial Services
Columbia Bank Bank
Desjardins Group Financial Services
E-Trade Financial Services
Fidelity Financial Services
Fifth Third Bank
FundsXpress IT Service Management
Google Technology
GoToMyCard Financial Services
HawaiiUSA Federal Credit Union Credit Union
Huntington Bancshares Bank Holding
Huntington Bank Bank Holding
Interactive Brokers Financial Services
JPMorgan Chase Investment Banking
KeyBank Bank
LexisNexis Data mining
M&T Bank Bank
Microsoft Technology
Navy Federal Credit Union
paypal Financial Technology
PNC Bank Bank
RBC Bank Bank
Robinhood Stock Trading
Royal Bank of Canada Financial Services
Schwab Financial Services
Scotiabank Canada Bank
SunTrust Bank Bank Holding
Synchrony Financial Services
Synovus Financial Services
T. Rowe Price Investment Management
TD Bank Bank
TD Commercial Banking Financial Services
TIAA Insurance
Truist Financial Bank Holding
U.S. Bancorp Bank Holding
UnionBank Commercial Banking
USAA Financial Services
Vanguard Investment Management
Wells Fargo Financial Services
Yahoo Technology
ZoomInfo Software as a service

IOCs

myca.adprimblox.fun
akama.pocanomics.com
524A79E37F6B02741A7B6A429EBC2E33306068BDC55A00222B6C162F396E2736