Last year we reported about a new modular malware using a network protocol similar to Dyreza – you can read about it here. The malware was not very stealthy and some parts were looking to be under development, but we noticed its potential and capability to be easily extended. Indeed, authors of TrickBot are persistent not only in spreading their product but also in developing new features.
Some of the novel changes have been noted in the report of Security Art Work (available here).
But authors of the malware didn’t stop on this – recently we captured some additions – for example, the one called Outlook.dll. While most of the modules are written in C++, this one is written in Delphi. It may indicate that the team of developers gained some new members that are more comfortable with this particular language.
- 9aac1e00d62e0b4049781cc5eff99bc7 – main sample (packed)
Downloaded modules (32 bit):
- b6f9ba3fd8af478147c59b2f3b3043c7 – OutlookX32.dll
- ac32c723c94e2c311db78fb798f2dd63 – module.dll (importDll32)
- f8e58af3ffefd4037fef246e93a55dc8 – mailsearcher.dll (mailsearcher32)
- 25570c3d943c0d83d69b12bc8df29b9d – SystemInfo.dll (systeminfo32)
- 5ac93850e24e7f0be3831f1a7c463e9c – loader.dll (injectDll32), reflectively loads submodules:
As before, after being deployed TrickBot installs itself in a new directory created in %APPDATA%. It runs a new instance from the installation directory.
Inside, it creates another directory – Modules, where it drops downloaded modules and their configuration files in encrypted form:
The way in which the modules and configuration files are encrypted didn’t change – still, we can use the same scripts to recover them.
After decrypting config.conf we got some more details about the current campaign – the version of the analyzed configuration is 1000030 and the given group tag is tt0002. Fragment:
As before, the persistence is achieved with the help of Scheduled Task:
The task deploys the main bot, that after being run, decrypts and loads other modules. Each module is injected into a new instance of svchost:
As before, all the TrickBot modules follow a predefined API. They export four functions:
As mentioned in the section “behavioral analysis”, in the current run we observed 5 modules. SystemInfo.dll and loader.dll (injectDll32) are present in the TrickBot since the very beginning. The module mailsearcher.dll has been introduced in December 2016 (according to the F5 DevCentral’s article). But there are some modules in the set, that we haven’t seen described before: module.dll and Outlook.dll.
This bulky module is written in C++, compiled with Qt5, OpenSSL and also incorporates SQLite. Inside the binary we can find the strings indicating particular versions of the libraries:
- Qt 5.6.2 (i386-little_endian-ilp32 static release build; by GCC 6.2.0)
- OpenSSL 1.0.2k 26 Jan 2017
- 2017-02-13 16:02:40 ada05cfa86ad7f5645450ac7a2a21c9aa6e57d2 (SQLite)
We can also find references in the code – in the given example QAbstractSocket class from Qt library is used:
DLL’s compilation timestamp indicates that it is pretty fresh, written in May of this year:
Functionality-wise, this module is focused on stealing data from the browsers, such as:
- HTML5 Local Storage
- Browsing History
- Flash LSO (Local Shared Objects)
- URL hits
Authors didn’t put any effort to hide their intentions. Debug strings informing about every action taken are being printed. Examples:
Grabbing URL hits:
In contrary to loader.dll/injectDll (referenced here) which is modular and stores all the scripts and targets in dedicated configuration files, module.dll/importDll32 comes with all the data hardcoded. For example, we can find inside the binary a very long list of targets – websites from countries all around the world – France, Italy, Japan, Poland, Norway, Peru and more:
During its run the module creates a hidden desktop:
This desktop is used as a workspace, where the malicious module can open and fingerprint browsers in a way that is not noticed by the user.
You can see the full content here.
This script, while being executed fills the text area with the data gathered about the environment, and passes this data to the malware:
Another script is used for gathering information on the plugins installed in InternetExplorer (compare with this script):
You can see the full content here.
The scripts send the collected data in the POST request in the variable called marker_:
The data is received by the handler inside the TrickBot module:
Interestingly, the malicious plugin contains also 4 base64 encoded pictures in PNG format:
The SQL part
Among the data hardcoded within the module.dll we can find a string referencing an SQLite release:
2017-02-13 16:02:40 ada05cfa86ad7f5645450ac7a2a21c9aa6e57d2
The incorporated SQLite is used to retrieve and steal from locally stored databases, for example cookies (similarly to Terdot Zbot, described here, that also incorporated SQLite for this purpose):
Sample strings and queries to the cookies database:
We can see also queries used for stealing the stored browsing history:
This is the module written in Delphi. It contains a hardcoded configuration that follows a pattern typical for TrickBot modules:
<moduleconfig> <autostart>no</autostart> </moduleconfig>
Its purpose it to steal data saved by Microsoft Outlook.
The module opens relevant registry keys, and tries to retrieve saved credentials:
TrickBot’s new modules are not written very well and they are probably still under development. The overall quality of the design is much lower than the quality of the earlier code. For example, module.dll is bulky and does not follow the clean modular structure introduced by TrickBot before. Also, they make use of languages and libraries that are easier – Qt instead of native sockets for module.dll, Delphi language for Outlook.dll. Those changes may indicate some changes in the development team – either they gained new members that has been delegated to the new tasks or some of the previous members resigned and has been substituted by lower quality programmers. It may also be possible, that they are doing some prototyping and experiments for the further development.
Anyways, as we can see, TrickBot is still actively maintained and it is not going to leave the landscape any soon.
This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.