There has been various coverage recently regarding newly identified Trickbot samples found in the wild. A recent sample identified by TAU includes additional techniques that leverage LOLBin’s, which are used by Trickbot to enumerate the network environment, and additionally perform a dump of the local Microsoft Extensible Store Engine (ESE) database. It is believed that this particular sample behaved in such way for only a brief period of time with a specific Trickbot configuration loaded, before further evolving to ommit these techniques. As such, it is worth mentioning the observed behaviours from this sample in case they happen to resurface again in the future.
Behavioral Summary
As discussed in an earlier TAU-TIN, Trickbot is a banking trojan that has been around for some time, and continues to evolve frequently enough for this to still be considered a serious threat.
The TTP’s for this particular sample discussed in this report, are displayed within CB Defense as shown below.
Details
When the initial sample is executed, it starts by writing out the same binary into “C:\ProgramData\лпорпароаыв.exe”. A number of commands are then systematically run to stop and disable Windows Defender as shown in the table below.
| Command | Description |
|---|---|
| “C:\Windows\System32\cmd.exe” /c sc stop WinDefend | Stops Windows Defender |
| “C:\Windows\System32\cmd.exe” /c sc delete WinDefend | Deletes Windows Defender |
| “C:\Windows\System32\cmd.exe” /c powershell Set-MpPreference -DisableRealtimeMonitoring $true | Disables Realtime Monitoring |
| “C:\Windows\System32\cmd.exe” /c powershell Set-MpPreference -DisableBehaviorMonitoring $true | Disables Behaviour Monitoring |
| “C:\Windows\System32\cmd.exe” /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true | Disables Block at First Seen |
| “C:\Windows\System32\cmd.exe” /c powershell Set-MpPreference -DisableIOAVProtection $true | Disables IOAV Protection |
| “C:\Windows\System32\cmd.exe” /c powershell Set-MpPreference -DisablePrivacyMode $true | Disables Privacy Mode |
| “C:\Windows\System32\cmd.exe” /c powershell Set-MpPreference -SevereThreatDefaultAction 6 | Sets auto remediation action to allow |
| “C:\Windows\System32\cmd.exe” /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true | Disables Intrusion Prevention System |
| “C:\Windows\System32\cmd.exe” /c powershell Set-MpPreference -LowThreatDefaultAction 6 | Sets auto remediation action to allow |
| “C:\Windows\System32\cmd.exe” /c powershell Set-MpPreference -ModerateThreatDefaultAction 6 | Sets auto remediation action to allow |
| “C:\Windows\System32\cmd.exe” /c powershell Set-MpPreference -DisableScriptScanning $true | Disables Script Scanning |
Further details regarding the above Windows Defender settings can be found here and here.
A copy of the same binary is then written to “C:\Users\<user>\AppData\Roaming\mslibrary\лпорпароаыв.exe“. The binary is then injected into svchost.exe, and a file is written to the Windows Tasks folder “C:\Windows\System32\Tasks\Ms dll libraries” which contains the configuration for the scheduled task. This is created for persistence upon reboot, and also has a delayed startup time of 9 minutes from the first run time. After that time has elapsed, further svchost.exe processes are injected into and connections were made to two remote C2 IP addresses based on the Trickbot config used during original detonation. After the sample was run, one particular instance of svchost made a total of 276 connections to various C2 IP addresses. Note that submitting the same sample will result in many newer remote C2 IP addresses which use a combination of TCP port 443 and 449.
One of the injected svchost processes is responsible for the execution of various LOLBins to perform enumeration of the network, as shown in the table below.
| Windows LOLBin | Description |
|---|---|
| ipconfig /all | Displays all TCP/IP network configuration values |
| net config workstation | Displays current settings of workstation service |
| net view /all | Displays computers in network |
| net view /all /domain | Displays computers in domain |
| nltest /domain_trusts | Returns a list of trusted domains |
| nltest /domain_trusts /all_trusts | Returns all trusted domains |
The process diagram shown from CB ThreatHunter shows the LOLBins used to enumerate the network environment.
A separate svchost process is responsible for proxying Edge, Internet Explorer and Firefox browser connections with the following commands: cmd.exe /c “start microsoft-edge:http://127.0.0.1:53173/14933“, cmd.exe /c “start microsoft-edge:http://127.0.0.1:53173/31091“, “C:\Program Files\Mozilla Firefox/firefox.exe” http://127.0.0.1:53181/15207 and “C:\Program Files/internet explorer/iexplore.exe” http://127.0.0.1:53234/15246. This is carried out by a HTML/JavaScript file which is used to gather information pertaining to browser configurations which is then sent back to the C2. A snippet of the JavaScript is shown below.
Next, the file is created in “c:\users\<user>\appdata\roaming\mslibrary\grabber_temp.integ.raw“, which after the LOLBin command “esentutl /p /o C:\Users\<user>\AppData\Local\Temp\grabber_temp.edb” is executed, attempts a repair of and then dumps a copy of the ESE database into the Trickbot directory. Whether this was deliberate or not, it remains to be seen, but it is worth noting the usage of esentutl for possible future campaigns.
The process diagram below shows the browser stealer functionality as well as the LOLBin esentutl, which all run under a different svchost process.
If you are a customer looking to learn how CB solutions help defend against this attack, click here.
Remediation:
MITRE ATT&CK TIDs
| TID | Tactic | Description |
|---|---|---|
| T1053 | Execution, Persistence, Privilege Escalation | Scheduled Task |
| T1059 | Execution | Command-line Interface |
| T1086 | Execution | PowerShell |
| T1106 | Execution | Execution through API |
| T1064 | Defense Evasion, Execution | Scripting |
| T1088 | Defense Evasion, Privilege Escalation | Bypass User Account Control |
| T1089 | Defense Evasion | Disabling Security Tools |
| T1003 | Credential Access | Credential Dumping |
| T1007 | Discovery | System Service Discovery |
| T1016 | Discovery | System Network Configuration Discovery |
| T1018 | Discovery | Remote System Discovery |
| T1185 | Collection | Man in the Browser |
Indicators of Compromise (IOCs)
| Indicator | Type | Context |
|---|---|---|
| 8a74e2b8f0511a2578cbe35120d2a9922f25f5899898b5e9c98d974e6c100d01 | SHA256 | Trickbot |
| 061bbcf81b8dfad43e999cb03d768816 | MD5 | Trickbot |
| 170.238.117.187 | TCP/8082 | C2 |
| 186.10.243.70 | TCP/8082 | C2 |
The post CB TAU Threat Intelligence Notification: Trickbot Banking Trojan Continues to Evolve appeared first on Carbon Black.
Article Link: https://www.carbonblack.com/2019/08/16/cb-tau-threat-intelligence-notification-trickbot-banking-trojan-continues-to-evolve/