Goal: Reverse the latest Trickbot’s module called “testnewinj32Dll” and its methods to steal authentication banking data via methods known as webinjects, web fakes, and redirection attacks.
Source (already decoded modules):
- injectDll32.dll (C546D40D411D0F0BB7A1C9986878F231342CDF8B)
- rtlbrokerDll.dll (0785D0C5600D9C096B75CC4465BE79D456F60594
- testnewinj32Dll.dll (D5F98BFF5E33A86B213E05344BD402350FC5F7CD)
PDB:
F:\Projects\browsers_engine\Callback\Builds\Bin\x86\Release_nologs\rtbroker_dll.pdb
Background
While analyzing one of the latest Trickbot group tag “mac1” email spam campaign (subject: “Emailed Invoice – {rand}”) with @James_inthe_box, identified a newly deployed “testwebinj32Dll,” which was meant to substitute the previous “inject32Dll” module.
The new decoded module contains four usual Trickbot exported functions:
- Start
- Control
- FreeBuffer
- Release
The observed Trickbot main config module was as follows:
<mcconf>
<ver>1000047</ver>
<gtag>mac1</gtag>
<servs>
<srv>91.83.88[.]51:449</srv>
<srv>193.19.118[.]207:443</srv>
<srv>185.15.245[.]102:443</srv>
<srv>185.15.245[.]103:443</srv>
<srv>199.48.160[.]60:443</srv>
<srv>195.133.48[.]80:443</srv>
<srv>147.135.196[.]128:443</srv>
<srv>194.87.95[.]120:443</srv>
<srv>194.87.99[.]62:443</srv>
<srv>194.87.239[.]114:443</srv>
<srv>94.242.224[.]218:443</srv>
<srv>195.133.147[.]135:443</srv>
<srv>185.158.113[.]62:443</srv>
<srv>194.87.146[.]180:443</srv>
<srv>194.87.99[.]220:443</srv>
<srv>194.87.95[.]122:443</srv>
<srv>194.87.111[.]6:443</srv>
<srv>195.133.197[.]187:443</srv>
<srv>194.87.99[.]210:443</srv>
<srv>169.239.129[.]42:443</srv>
<srv>178.156.202[.]97:443</srv>
</servs>
<autorun>
<module name=“systeminfo” ctl=“GetSystemInfo” />
<module name=“testnewinj3Dll” />
</autorun>
</mcconf>
If we compare the older “inject32Dll” and “newtestinj32Dll,” we observe the new added functions targeting Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge.
The new observed methods in the testnewinj3Dll module are as follows:
I. Internet Explorer browser credential grabber
Obtains login data from from Internet Explorer in from the registry key HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 based on the key Microsoft_WinInet_ (format: %2.2X)
II. Google Chrome browser credential grabber
Obtains login data from Google Chrome browser in %APPDATA%\Google\Chrome\User Data\Default:
\Login Data.bak:
select origin_url, username_value, password_value, length(password_value) from logins where blacklisted_by_user = 0
\History:
select u.url,v.visit_time from visits as v join urls as u on u.id = v.url
III. Microsoft Edge browser credential grabber
Obtains login data from the latest Windows 10 using native undocumented functions of Windows Vault API to enumerate and extract credentials stored by Microsoft Windows Vault.
IV. Mozilla Firefox browser credential grabber
Obtains Mozilla Firefox credentials in %APPDATA%\Mozilla\Firefox\Profiles:
\logins.json:
- “hostname”:"
- “encryptedUse:”
- “rname”:"
- “encryptedPassword”:"
\places.sqlite:
- select url, last_visit_date from moz_places where last_visit_date > 0 order by last_visit_date desc
Primer on Trickbot Injects
Trickbot targets the following processes:
- chrome.exe
- iexplore.exe
- firefox.exe
- microsoftedgecp.exe
- runtimebroker.exe
Trickbot’s reflective injection works as follows:
- Open target process and allocate memory address in remote process via VirtualAllocEx
- Copy function WriteProcessMemory into the allocated memory space
- Copy shellcode WriteProcessMemoryinto the allocated memory space
- Call FlushInstructionCache API to make sure our changes are written right away
- Call inject RemoteThread functioncall
- Call ResumeThread
- Else, call undocumented API function RtlCreateUserThreadto start execution in the remote process, using the offset address of the reflective loader function as the entry point
Hooks Internet Explorer and Microsoft Edge in wininet.dll library API calls:
- HttpSendRequestA
- HttpSendRequestW
- HttpSendRequestExA
- HttpSendRequestExW
- InternetCloseHandle
- InternetReadFile
- InternetReadFileExA
- InternetQueryDataAvailable
- HttpQueryInfoA
- InternetWriteFile
- HttpEndRequestA
- HttpEndRequestW
- InternetQueryOptionA
- InternetQueryOptionW
- InternetSetOptionA
- InternetSetOptionW
- HttpOpenRequestA
- HttpOpenRequestW
- InternetConnectA
- InternetConnectW
Hooks Mozilla Firefox Browser in nspr4.dll library API calls:
- PR_OpenTCPSocket
- PR_Connect
- PR_Close
- PR_Write
- PR_Read
Hooks Chrome in chrome.dll library API calls:
- ssl_read
- ssl_write
Template webinject configuration in XML format is as follows:
<moduleconfig>
<autostart>yes</autostart>
<sys>yes</sys>
<needinfo name=“id”/>
<needinfo name=“ip”/>
<autoconf>
<conf ctl=“dinj” file=“dinj” period=“20”/>
<conf ctl=“sinj” file=“sinj” period=“20”/>
<conf ctl=“dpost” file=“dpost” period=“60”/>
</autoconf>
</moduleconfig>
Since Windows 10 comes with a new browser, “Microsoft Edge,” Trickbot operators need their banking Trojan to operate on that software. To implement form grabbing and webinjections in the Windows 10 Edge browser, Trickbot’s rogue rtlbroker hooks the microsoftedgecp.exe process. Normally, runtimebroker.exe is the parent process of the Microsoft Edge browser on Windows 10 machines.
The following four API calls being hooked are in child Microsoft Edge via rogue rtlbroker.dll allowing Trickbot operators to intercept and manipulate Microsoft Edge calls:
- CreateProcess
- CreateProcessW
- CreateProcessAsUserA
- CreateProcessAsUserW
Article Link: http://www.vkremez.com/2017/09/lets-learn-trickbot-banking-trojan-adds.html