Trickbot Malware Review
Technical Details
TrickBot is an advanced Trojan dating back to 2016 that malicious actors spread primarily by spearphishing campaigns using tailored emails that contain malicious attachments or links.
CISA has drawn attention to this and March 17th 2022 they are aware of recent attacks that use phishing emails. The phishing emails contain links that redirect to the victim to a website hosted on a compromised server. The user gets prompted to verify the photo which downloads a malicious JavaScript file. My understanding is you still need to open the malicious payload which would automatically establish command and control to the Trickbot network.
From here Attackers can use TrickBot Drop Ryuk, Conti ransomware or even serve as Emotet downloaders. Keep in mind Trickbot serves as a vehicle to install exfiltration tools, man-in-the-browser tools and essential a swiss army knife for Ransomware as a Service.
Interesting Read from 2020 when Microsoft started to disrupt Trickbot network
- https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/
Microsoft Security team has also recently written about disrupting the Trickbot network resulting in the new tactics where MikroTik routers are infected. They then act as proxy servers for their C2 servers devices and create a layer of insulation to protect their C2 servers.
The attackers then issue a unique command that redirects traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2. MikroTik devices have unique hardware and software, RouterBOARD and RouterOS. This means that to run such a command, the attackers need expertise in RouterOS SSH shell commands. We uncovered this attacker method by tracking traffic containing these SSH shell commands.
We know Trickbot often uses 449 then relays off compromised devices as illustrated below.
Indicators of Compromise
- Port 449 Outbound Stream and/or C2 beacon
- Port 447 Outbound Stream and/or C2 beacon
- Port 443 Outbound Stream and/or C2 beacon
Suricata Rule examples from my notes and you can also find more Suricata rules from CISA article
# Trickbot
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TROJAN Win32/Trickbot Data Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:"name=\"proclist\"";content:"svchost.exe";content:"name=\"sysinfo\"";content:"ipconfig";content:"net view /all";content:"nltest";distance:0; reference:md5,f99adab7b2560097119077b99aceb40d; classtype:trojan-activity; sid:1001001;rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"TROJAN Win32/Trickbot Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/yas8/";http_uri;content:"User-Agent|3a 20|Winhttp 1/0"; http_header; reference:md5,f99adab7b2560097119077b99aceb40d; classtype:trojan-activity; sid:1001002;rev:1; )
MikroTik Mitigations
- Using default MikroTik passwords.
- Launching brute force attacks. In other words monitor your devices with SOC and/or SIEM
- Exploiting CVE-2018-14847 on devices with RouterOS versions older than 6.42. This vulnerability gives the attacker the ability to read arbitrary files like user.dat, which contains passwords.
Historical Trickbot Commands
Trickbot is often seen with cobalt strike and you will see the standard recon which I have provided from older research samples from 2021
The threat actors ran the AdFind utility for domain discovery.
C:\Windows\system32\cmd.exe /C adfind.exe -gcb -sc trustdmp > trustdmp.txt
C:\Windows\system32\cmd.exe /C adfind.exe -f "(objectcategory=group)" > ad_group.txt
C:\Windows\system32\cmd.exe /C adfind.exe -subnets -f (objectCategory=subnet)> subnets.txt
C:\Windows\system32\cmd.exe /C adfind.exe -sc trustdmp > trustdmp.txt
C:\Windows\system32\cmd.exe /C adfind.exe -f "(objectcategory=organizationalUnit)" > ad_ous.txt
C:\Windows\system32\cmd.exe /C adfind.exe -f "objectcategory=computer" > ad_computers.txt
C:\Windows\system32\cmd.exe /C adfind.exe -f "(objectcategory=person)" > ad_users.txt
The following net commands were used by the threat actor.
net user
net group "domain admins" /domain
net group "enterprise admins" /domain
While on systems, we also saw them use the following commands.
systeminfo
ipconfig
The following Nltest commands were executed several times by the threat actors over the course of the intrusion.
C:\Windows\system32\cmd.exe /C nltest /dclist:"DOMAINNAME"
C:\Windows\system32\cmd.exe /C nltest /domain_trusts /all_trusts
The ping command was then used to test connectivity to the domain controllers and other systems.
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:57637/'); Get-NetComputer -ping -operatingsystem *server*
Bloodhound was ran for domain attack path enumeration.
[Original]
powershell -nop -exec bypass -EncodedCommand (base64 code here)
[Decoded]
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:13875/'); Invoke-BloodHound -CollectionMethods all
The following Powerview commands were also seen invoked by the threat actors for discovery.
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:35248/'); Get-NetComputer -operatingsystem *server*
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:42680/'); Invoke-UserHunter -username actual_user_name
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:24774/'); Get-NetSession -computername actual_computer_name
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:20744/'); Get-NetRDPSession -computername actual_computer_name
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:42762/'); Find-LocalAdminAccess
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:57637/'); Get-NetComputer -ping -operatingsystem *server*
MITRE ATT&CK Techniques
Initial Access [TA0001]
| Technique Title | ID | Use |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware. |
| Phishing: Spearphishing Link | T1566.002 | TrickBot has been delivered via malicious links in phishing emails. |
Execution [TA0002]
| Technique Title | ID | Use |
|---|---|---|
| Scheduled Task/Job: Scheduled Task | T1053.005 | TrickBot creates a scheduled task on the system that provides persistence. |
| Command and Scripting Interpreter: Windows Command Shell | T1059.003 | TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine. |
| Command and Scripting Interpreter: JavaScript/JScript | T1059.007 | TrickBot victims unknowingly download a malicious JavaScript file that, when opened, automatically communicates with the malicious actor’s C2 server to download TrickBot to the victim’s system. |
| Native API | T1106 | TrickBot uses the Windows Application Programming Interface (API) call, CreateProcessW(), to manage execution flow. |
| User Execution: Malicious Link | T1204.001 | TrickBot has sent spearphishing emails in an attempt to lure users to click on a malicious link. |
| User Execution: Malicious File | T1204.002 | TrickBot has attempted to get users to launch malicious documents to deliver its payload. |
Persistence [TA0003]
| Technique Title | ID | Use |
|---|---|---|
| Scheduled Task/Job: Scheduled Task | T1053.005 | TrickBot creates a scheduled task on the system that provides persistence. |
| Create or Modify System Process: Windows Service | T1543.003 | TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots. |
Privilege Escalation [TA0004]
| Technique Title | ID | Use |
|---|---|---|
| Scheduled Task/Job: Scheduled Task | T1053.005 | TrickBot creates a scheduled task on the system that provides persistence. |
| Process Injection: Process Hollowing | T1055.012 | TrickBot injects into the svchost.exe process. |
| Create or Modify System Process: Windows Service | T1543.003 | TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots. |
Defense Evasion [TA0005]
| Technique Title | ID | Use |
|---|---|---|
| Obfuscated Files or Information | T1027 | TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files. |
| Obfuscated Files or Information: Software Packing | T1027.002 | TrickBot leverages a custom packer to obfuscate its functionality. |
| Masquerading | T1036 | The TrickBot downloader has used an icon to appear as a Microsoft Word document. |
| Process Injection: Process Hollowing | T1055.012 | TrickBot injects into the svchost.exe process. |
| Modify Registry | T1112 | TrickBot can modify registry entries. |
| Deobfuscate/Decode Files or Information | T1140 | TrickBot decodes the configuration data and modules. |
| Subvert Trust Controls: Code Signing | T1553.002 | TrickBot has come with a signed downloader component. |
| Impair Defenses: Disable or Modify Tools | T1562.001 | TrickBot can disable Windows Defender. |
Credential Access [TA0006]
| Technique Title | ID | Use |
|---|---|---|
| Input Capture: Credential API Hooking | T1056.004 | TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. |
| Unsecured Credentials: Credentials in Files | T1552.001 | TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the .vnc.lnk affix to steal VNC credentials. |
| Unsecured Credentials: Credentials in Registry | T1552.002 | TrickBot has retrieved PuTTY credentials by querying the Software\SimonTatham\Putty\Sessions registry key. |
| Credentials from Password Stores | T1555 | TrickBot can steal passwords from the KeePass open-source password manager. |
| Credentials from Password Stores: Credentials from Web Browsers | T1555.003 | TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl. |
Discovery [TA0007]
| Technique Tactic | ID | Use |
|---|---|---|
| System Service Discovery | T1007 | TrickBot collects a list of install programs and services on the system’s machine. |
| System Network Configuration Discovery | T1016 | TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine. |
| Remote System Discovery | T1018 | TrickBot can enumerate computers and network devices. |
| System Owner/User Discovery | T1033 | TrickBot can identify the user and groups the user belongs to on a compromised host. |
| Permission Groups Discovery | T1069 | TrickBot can identify the groups the user on a compromised host belongs to. |
| System Information Discovery | T1082 | TrickBot gathers the OS version, machine name, CPU type, amount of RAM available from the victim’s machine. |
| File and Directory Discovery | T1083 | TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information. |
| Account Discovery: Local Account | T1087.001 | TrickBot collects the users of the system. |
| Account Discovery: Email Account | T1087.003 | TrickBot collects email addresses from Outlook. |
| Domain Trust Discovery | T1482 | TrickBot can gather information about domain trusts by utilizing Nltest. |
Lateral Movement [TA0008]
| Technique Tactic | ID | Use |
|---|---|---|
| Lateral Tool Transfer | T1570 | Some TrickBot modules spread the malware laterally across a network by abusing the SMB Protocol. |
Collection [TA0009]
| Technique Tactic | ID | Use |
|---|---|---|
| Data from Local System | T1005 | TrickBot collects local files and information from the victim’s local machine. |
| Input Capture:Credential API Hooking | T1056.004 | TrickBot has the ability to capture Remote Desktop Protocol credentials by capturing the CredEnumerateA API. |
| Person in the Browser | T1185 | TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified webpage. |
Command and Control [TA0011]
| Technique Tactic | ID | Use |
|---|---|---|
| Fallback Channels | T1008 | TrickBot can use secondary command and control (C2) servers for communication after establishing connectivity and relaying victim information to primary C2 servers. |
| Application Layer Protocol: Web Protocols | T1071.001 | TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files. |
| Ingress Tool Transfer | T1105 | TrickBot downloads several additional files and saves them to the victim’s machine. |
| Data Encoding: Standard Encoding | T1132.001 | TrickBot can Base64-encode C2 commands. |
| Non-Standard Port | T1571 | Some TrickBot samples have used HTTP over ports 447 and 8082 for C2. |
| Encrypted Channel: Symmetric Cryptography | T1573.001 | TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic. |
Exfiltration [TA0010]
| Technique Tactic | ID | Use |
|---|---|---|
| Exfiltration Over C2 Channel | T1041 | TrickBot can send information about the compromised host to a hardcoded C2 server. |
Impact [TA0040]
| Technique Tactic | ID | Use |
|---|---|---|
| Resource Hijacking | T1496 | TrickBot actors can leverage the resources of co-opted systems for cryptomining to validate transactions of cryptocurrency networks and earn virtual currency. |
Reference Links
- https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/
- https://www.cisa.gov/uscert/ncas/alerts/aa21-076a