![\"\"](\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2020\/10\/Figure-1.-Worldwide-Trickbot-detections-between-October-2019-and-Octber-2020.png\")
<\/figure>\n\n\n\nFigure 1. Worldwide Trickbot detections between October 2019 and October 2020<\/em><\/p>\n\n\n\n Throughout its existence, Trickbot malware has been distributed in a number of ways. Recently, a chain we observed frequently is Trickbot being dropped on systems already compromised by Emotet, another large botnet. In the past, Trickbot malware was leveraged by its operators mostly as a banking trojan, stealing credentials from online bank accounts and trying to perform fraudulent transfers.<\/p>\n\n\n\n Trickbot\u2019s modular architecture allows it to perform a vast array of malicious actions using a variety of plugins. It can steal all kinds of credentials from a compromised computer and, more recently, has been observed mostly as a delivery mechanism for more damaging attacks, such as ransomware.<\/p>\n\n\n\n One of the oldest plugins developed for the platform allows Trickbot to use web injects<\/a>, a technique allowing the malware to dynamically change what the user of a compromised system sees when visiting specific websites. To operate, this plugin relies on configuration files downloaded by the main module. These contain information about which websites should be modified and how. Figure 2 shows an excerpt of one such decrypted configuration file containing targeted URLs and the malicious C&C URLs the bot should contact upon the victim accessing the targeted URLs.<\/p>\n\n\n\n Figure 2. Excerpt of a decrypted dinj configuration file (redacted)<\/em><\/p>\n\n\n\n Through our monitoring of Trickbot campaigns, we collected tens of thousands of different configuration files, allowing us to know which websites were targeted by Trickbot\u2019s operators. Figure 3 shows the number of websites extracted from configuration files in 2020.<\/a><\/p>\n\n\n\n <\/a>Figure 3. Number of targeted websites in 2020<\/em><\/p>\n\n\n\n These targeted URLs mostly belong to financial institutions. There is a sharp drop in the number of targets found in these configuration files starting in March. This coincides with the moment when Trickbot operators dropped the webinject module from the list of default plugins downloaded automatically by the main module \u2014 this is why we have no data in March; we had to adjust our processes to maintain visibility on the targeted URLs. This drop in number of targets is likely due to the Trickbot gang starting to focus on another means of monetization during that time frame: ransomware.<\/p>\n\n\n\n In these cases, a Trickbot compromise is first leveraged to perform reconnaissance and lateral movement in an organization\u2019s network and then to drop Ryuk ransomware on as many systems as possible. From the data we have collected, it appears that Trickbot\u2019s operators moved from attempting to steal money from bank accounts, to compromising a whole organization with Trickbot and then using it to execute Ryuk and demand a ransom to unlock the affected systems.<\/p>\n\n\n\n We also observed new malware development projects allegedly coming from Trickbot\u2019s operators, which might also explain their sudden disinterest in operating Trickbot as a banking trojan. One of these projects is the so-called Anchor<\/a> project, a platform mostly geared towards espionage rather than crimeware. They are also likely involved in the development of the Bazar<\/a> malware \u2014 a loader and backdoor used to deploy malware, such as ransomware, and to steal sensitive data from compromised systems.<\/p>\n\n\n\n What makes Trickbot so versatile is that its functionalities can be greatly extended with plugins. Throughout our tracking, we were able to collect and analyze 28 different plugins. Some are meant to harvest passwords from browsers, email clients and a variety of applications, while others can modify network traffic or self-propagate. Trickbot plugins are implemented as standard Windows DLLs, usually with at least these four distinctive exports: Start, Control, Release and FreeBuffer.<\/p>\n\n\n\n Interestingly, some have Rich headers<\/a> while some do not. Rich headers are an undocumented data structure added to all binaries built by Microsoft Visual Studio 97 SP3 or later. They contain information about the development environment where the executable was built. The fact that Rich headers are not always present in plugins \u2014 and that when they are present, they show different development environments \u2014 leads us to believe that these plugins were written by different developers.<\/p>\n\n\n\n We did not observe many different samples of the different plugins once they were developed and used in the wild. The ones that changed the most are those containing a static configuration file embedded in the binary. These static configuration files contain, among other things, C&C server information, so it is expected to see these change over time. Figure 4 displays the number of variations we saw for each module we collected through our botnet tracker platform. Most of the newer modules\u2019 variants come in pairs: about half of the collected modules were 32-bit versions, while the other half were the 64-bit versions. In the Appendix<\/em> you can find a brief description of each of these modules. Figure 4. Variant count for each Trickbot plugin<\/em><\/p>\n\n\n\n Although there are potentially many different downloaded configuration files present in a Trickbot installation, the main module contains an encrypted, hardcoded configuration. This contains a list of C&C servers as well as a default list of plugins that should be download.<\/p>\n\n\n\n As mentioned earlier, some plugins also rely on configuration files to operate properly. These plugins rely on the main module to download these configuration files from the C&C servers. Plugins achieve this by passing a small module configuration structure, stored in the plugin binary\u2019s overlay section, that lets the main module know what it should download.<\/p>\n\n\n\n Being able to gather these configuration files allowed us to map the network infrastructure of Trickbot. The main module uses its list of hardcoded C&C servers and connects to one of them to download a second list of C&C servers, the so-called psrv list. The main module contacts this second layer of C&C servers to download the default plugins specified in the hardcoded configuration file. Other modules can be downloaded later upon receiving a command to do so from the Trickbot operators. Some of the plugins, such as the injectDll plugin, for example, have their own C&C servers, which contain configuration files. Finally, there are dedicated C&C servers for plugins. The most prevalent of them are so-called dpost servers, used to exfiltrate stolen data such as credentials but, as detailed in the Appendix<\/em>, others exist. All these different layers make the disruption effort more challenging. Figure 5 illustrates this initial communication process.<\/a><\/p>\n\n\n\n Figure 5. Trickbot network communication process<\/em><\/p>\n\n\n\n We have been tracking these different C&C servers since early 2017. This knowledge was, of course, vital in the disruption effort, since we were able to contribute to mapping the network infrastructure used by the malicious actors.<\/p>\n\n\n\n Another interesting artifact we were able to gather through crawling this botnet is the unique identifier present in each Trickbot sample, the so-called gtag. This a string present in the initial hardcoded configuration file identifying different Trickbot campaigns or mode of compromise. For example, the mor campaigns are believed<\/a> to be Trickbot compromises due to Emotet. gtags can also sometimes indicate the target of a campaign. A good example is uk03-1, which predominantly targeted financial institutions in the United Kingdom.<\/p>\n\n\n\n Figure 6 presents a timeline of all gtags we extracted from Trickbot configuration files from September 2019 to September 2020. Looking at the mor group, we can see the abrupt stop of the Emotet campaigns in April 2020. There are also some groups that are used by specific modules. The tot, jim and lib groups are some of the most continuously seen gtags and are associated with the mshare, nworm\/mworm and tab modules respectively, according to a recent Unit42 blogpost<\/a>. As all of these are used for lateral movement, it is not surprising to see a mostly constant line in their timeline.<\/a><\/p>\n\n\n\n Figure 6. gtags group timeline<\/em><\/p>\n\n\n\n Trying to disrupt an elusive threat such as Trickbot is very challenging and complex. It has various fallback mechanisms and its interconnection with other highly active cybercriminal actors in the underground makes the overall operation extremely complex. We will continue to track this threat and assess the impact that such actions can have on such a sprawling botnet in the long run.<\/p>\n\n\n\n Special thanks to Jakub Tomanek, Jozef D\u00fac, Zolt\u00e1n Rusn\u00e1k and Filip Maz\u00e1n<\/em><\/p>\n\n\n\n Win32\/TrickBot Note: This table was built using <\/em>version 7<\/em><\/a> of the MITRE ATT&CK framework.<\/em><\/p>\n\n\n\n Microsoft blog post: https:\/\/blogs.microsoft.com\/on-the-issues\/?p=64132<\/a><\/p>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\nTrickbot deep dive<\/h2>\n\n\n\n
<\/a><\/p>\n\n\n\n<\/figure>\n\n\n\nConfiguration files for everyone<\/h3>\n\n\n\n
<\/figure>\n\n\n\n<\/figure>\n\n\n\nClosing remarks<\/h2>\n\n\n\n
ESET detection names<\/h2>\n\n\n\n
Win64\/TrickBot<\/p>\n\n\n\nMITRE ATT&CK techniques<\/h2>\n\n\n\n
Tactic<\/th> ID<\/th> Name<\/th> Description<\/th><\/tr><\/thead> Initial Access<\/td> T1566.001<\/a><\/td> Phishing: Spearphishing Attachment<\/td> Trickbot has used an email with an Excel sheet containing a malicious macro to deploy the malware.<\/td><\/tr> Execution<\/td> T1059.003<\/a><\/td> Command and Scripting Interpreter: Windows Command Shell<\/td> Trickbot has used cmd.exe \/c to download and deploy the malware on the user\u2019s machine.<\/td><\/tr> <\/td> T1059.005<\/a><\/td> Command and Scripting Interpreter: Visual Basic<\/td> Trickbot has used macros in Excel documents to download and deploy the malware on the user\u2019s machine.<\/td><\/tr> <\/td> T1106<\/a><\/td> Native API<\/td> Trickbot uses the Windows API CreateProcessW to manage execution flow.<\/td><\/tr> <\/td> T1204.002<\/a><\/td> User Execution: Malicious File<\/td> Trickbot has attempted to get users to launch a malicious Excel attachment to deliver its payload.<\/td><\/tr> <\/td> T1059.007<\/a><\/td> Command and Scripting Interpreter: JavaScript\/Jscript<\/td> Trickbot group used obfuscated JavaScript to download Trickbot loader.<\/td><\/tr> <\/td> T1559.001<\/a><\/td> Inter-Process Communication: Component Object Model<\/td> Trickbot used COM to setup scheduled task for persistence.<\/td><\/tr> Persistence<\/td> T1547.001<\/a><\/td> Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/td> Trickbot establishes persistence in the Startup folder.<\/td><\/tr> <\/td> T1053.005<\/a><\/td> Scheduled Task\/Job: Scheduled Task<\/td> Trickbot creates a scheduled task on the system that provides persistence.<\/td><\/tr> Privilege Escalation<\/td> T1055.012<\/a><\/td> Process Injection: Process Hollowing<\/td> Trickbot injects into the svchost.exe process.<\/td><\/tr> Defense Evasion<\/td> T1140<\/a><\/td> Deobfuscate\/Decode Files or Information<\/td> Trickbot decodes its configuration data and modules.<\/td><\/tr> <\/td> T1562.001<\/a><\/td> Impair Defenses: Disable or Modify Tools<\/td> Trickbot can disable Windows Defender.<\/td><\/tr> <\/td> T1112<\/a><\/td> Modify Registry<\/td> Trickbot can modify registry entries.<\/td><\/tr> <\/td> T1027<\/a><\/td> Obfuscated Files or Information<\/td> Trickbot uses non-descriptive names to hide functionality and uses an AES-CBC (256 bits) encryption algorithm for its loader and configuration files.<\/td><\/tr> <\/td> T1027.002<\/a><\/td> Software Packing<\/td> Trickbot leverages a custom packer to obfuscate its functionality.<\/td><\/tr> <\/td> T1553<\/a><\/td> Subvert Trust Controls<\/td> Trickbot uses signed loaders with stolen valid certificates.<\/td><\/tr> Credential Access<\/td> T1555.003<\/a><\/td> Credentials from Password Stores: Credentials from Web Browsers<\/td> Trickbot can obtain passwords stored by web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge.<\/td><\/tr> <\/td> T1056.004<\/a><\/td> Input Capture: Credential API Hooking<\/td> Trickbot has the ability to capture RDP credentials by capturing the CredEnumerateA API.<\/td><\/tr> <\/td> T1552.001<\/a><\/td> Unsecured Credentials: Credentials In Files<\/td> Trickbot can obtain passwords stored by several applications such as Outlook, Filezilla, and WinSCP. Additionally, it searches for the .vnc.lnk suffix to steal VNC credentials.<\/td><\/tr> <\/td> T1552.002<\/a><\/td> Unsecured Credentials: Credentials in Registry<\/td> Trickbot can retrieve PuTTY credentials from the Software\\SimonTatham\\Putty\\Sessions registry key.<\/td><\/tr> <\/td> T1110<\/a><\/td> Brute Force<\/td> Trickbot uses brute-force attack against RDP with rdpscanDll module.<\/td><\/tr> Discovery<\/td> T1087.001<\/a><\/td> Account Discovery: Local Account<\/td> Trickbot collects the users of the system.<\/td><\/tr> <\/td> T1087.003<\/a><\/td> Account Discovery: Email Account<\/td> Trickbot collects email addresses from Outlook.<\/td><\/tr> <\/td> T1082<\/a><\/td> System Information Discovery<\/td> Trickbot gathers the OS version, CPU type, amount of RAM available from the victim\u2019s machine.<\/td><\/tr> <\/td> T1083<\/a><\/td> File and Directory Discovery<\/td> \n Trickbot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing\n history, cookies, and plugin information.\n <\/td><\/tr> <\/td> T1016<\/a><\/td> System Network Configuration Discovery<\/td> Trickbot obtains the IP address and other relevant network information from the victim\u2019s machine.<\/td><\/tr> <\/td> T1007<\/a><\/td> System Service Discovery<\/td> Trickbot collects a list of installed programs and services on the system\u2019s machine.<\/td><\/tr> <\/td> T1135<\/a><\/td> Network Share Discovery<\/td> Trickbot module shareDll\/mshareDll discovers network shares via the WNetOpenEnumA API.<\/td><\/tr> <\/td> T1057<\/a><\/td> Process Discovery<\/td> Trickbot uses module networkDll for process list discovery.<\/td><\/tr> Lateral Movement<\/td> T1210<\/a><\/td> Exploitation of Remote Services<\/td> Trickbot utilizes EthernalBlue and EthernalRomance exploits for lateral movement in the modules wormwinDll, wormDll, mwormDll, nwormDll, tabDll.<\/td><\/tr> Collection<\/td> T1005<\/a><\/td> Data from Local System<\/td> Trickbot collects local files and information from the victim\u2019s local machine.<\/td><\/tr> <\/td> T1185<\/a><\/td> Man in the Browser<\/td> Trickbot uses web injects and browser redirection to trick victims into providing their login credentials on a fake or modified web page.<\/td><\/tr> Command and Control<\/td> T1071.001<\/a><\/td> Application Layer Protocol: Web Protocols<\/td> Trickbot uses HTTPS to communicate with its C&C servers, to get malware updates, modules that perform most of the malware logic and various configuration files.<\/td><\/tr> <\/td> T1573.001<\/a><\/td> Encrypted Channel: Symmetric Cryptography<\/td> Trickbot uses a custom crypter leveraging Microsoft\u2019s CryptoAPI to encrypt C&C traffic.<\/td><\/tr> <\/td> T1105<\/a><\/td> Ingress Tool Transfer<\/td> Trickbot downloads several additional files and saves them to the victim\u2019s machine.<\/td><\/tr> <\/td> T1571<\/a><\/td> Non-Standard Port<\/td> Some Trickbot samples have used HTTP over ports 447 and 8082 for C&C.<\/td><\/tr> <\/td> T1219<\/a><\/td> Remote Access Software<\/td> Trickbot uses vncDll module to remote control the victim machine.<\/td><\/tr> Exfiltration<\/td> T1041<\/a><\/td> Exfiltration Over C2 Channel<\/td> Trickbot exfiltrates data over the C&C channel using HTTP POST requests.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Appendix<\/h2>\n\n\n\n
Lateral movement modules<\/h3>\n\n\n\n
Infostealers<\/h3>\n\n\n\n
Network abuse<\/h3>\n\n\n\n
Other<\/h3>\n\n\n\n
Module names<\/th> Sub-config<\/th> Rich headers<\/th><\/tr><\/thead> shareDll, mshareDll, tshareDll<\/td> <\/td> NO<\/strong><\/td><\/tr> wormwinDll, wormDll, mwormDll, nwormDll<\/td> <\/td> NO<\/strong><\/td><\/tr> tabDll<\/td> dpost<\/td> YES<\/strong><\/td><\/tr> pwgrab<\/td> dpost<\/td> YES<\/strong><\/td><\/tr> systeminfo<\/td> <\/td> YES<\/strong><\/td><\/tr> domainDll<\/td> <\/td> NO<\/strong><\/td><\/tr> networkDll<\/td> dpost<\/td> YES<\/strong><\/td><\/tr> outlookDll<\/td> <\/td> NO<\/strong><\/td><\/tr> importDll<\/td> <\/td> NO<\/strong><\/td><\/tr> mailsearcher<\/td> mailconf<\/td> NO<\/strong><\/td><\/tr> cookiesDll<\/td> dpost<\/td> YES<\/strong><\/td><\/tr> squlDll<\/td> <\/td> YES<\/strong><\/td><\/tr> aDll<\/td> <\/td> YES<\/strong><\/td><\/tr> psfin<\/td> dpost<\/td> YES<\/strong><\/td><\/tr> injectDll<\/td> dinj, sinj, dpost<\/td> YES<\/strong>\/NO<\/strong><\/td><\/tr> NewBCtestDll, NewBCtestnDll<\/td> bcconfig3<\/td> YES<\/strong><\/td><\/tr> vncDll<\/td> vncconf<\/td> YES<\/strong><\/td><\/tr> vpnDll<\/td> vpnsrv<\/td> YES<\/strong><\/td><\/tr> rdpscanDll<\/td> srv<\/td> YES<\/strong><\/td><\/tr> bcClientDllTestTest<\/td> <\/td> YES<\/strong><\/td><\/tr> shadnewDll<\/td> dom<\/td> YES<\/strong><\/td><\/tr> mexecDll<\/td> <\/td> YES<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Useful links:<\/em><\/h3>\n\n\n\n