Trickbot is a nasty and highly advanced malware technology being used for many different malicious objectives. Originally, Trickbot was used as a Banking Trojan and most recently we have seen Trickbot turned into a delivery mechanism for anything from a remote access toolkit (RAT), crypto-mining, intellectual property and data exfiltration, and ransomware (See CISA Alert). With our December Threat Simulator Endpoint update, we have included a detailed Trickbot Assessment. With this new Assessment, you can safely simulate Trickbot and determine your preparedness should you be hit with Trickbot or similar malware. Read on to learn more about how this crafty and malicious threat can compromise your network. We will publish more details in future blogs. If you want to know more now, you can sign up for a free trial of Threat Simulator. There you can read the details of the Assessment and learn how effective your security defenses are against Trickbot and many other threats impacting the cyber world.
Tricky Compromise Part 1 – Delivering a “Maldoc”
The diagram above shows the flow of an email coming in, could be a file download via HTTP as well, with a Microsoft Word document; this is known as a “Maldoc”. The end-user is tricked, or phished, into believing that the document is safe to open. Once opened, the process will begin, and the end-user is oblivious to the events that transpire behind the scenes as Trickbot plants itself firmly on to their system. Most would think that their Anti-Virus software would have identified the Word document as malicious, and most would be wrong. The Word document, and Excel execution that follows, does not get identified as malicious. Some would argue that they are not malicious since they don’t actually perform the malicious execution, they do however download packages that perform the malicious activities. In short, as of this blog, you should not expect Anti-Virus software to stop Maldoc’s. This is important, because we feel most people expect the Anti-Virus to prevent these Maldoc’s from being delivered and they don’t. Another case for security defense-in-depth.
One additional tidbit of information about the Maldoc; Trickbot attempts to avoid Sandbox technologies by only activating the macros when the Word document is closed. If someone were to try and detonate the MS Word document, nothing would happen until you close the document, and this effect would cause most automated sandbox’s to be evaded because they don’t close the Word document.
Tricky Part 2 – Use of Trusted System Applications
Another tricky aspect of Trickbot is how it utilizes trusted Windows applications to execute and evade security controls. Looking back at the diagram, going to the far bottom right, you see that “wermgr.exe” is used for external communications. This binary, “wermgr.exe”, is the MS Windows Error Reporting Manager and is used to send operating crash and bug reports to Microsoft. As you can see, this executable is used for communications with the Trickbot command and control infrastructure. The trickiest part of all, the “wermgr.exe” binary is not modified on disk, everything is done dynamically in memory without “wermgr.exe” being aware of any changes and the process still functions as expected.
A lot goes on between the download, opening, and then closing, of the Word document, and the “wermgr.exe” communications with Trickbot command and control. The part that allows Trickbot to cause “wermgr.exe” to perform its dirty deeds is known as Dynamic-Link Library (DLL) Injection. The nature of DLL is to be dynamic, allowing executable programs to be small in size and load functions as needed. Trickbot, and many other malwares, take full advantage of this technique; it is not new, but it is tricky!
Comprehensive Trickbot Simulation
In the Threat Simulator Assessment, you will find forty endpoint activities simulating everything that Trickbot does on a system. These are listed here:
Simulates a user downloading a Word document (.doc) with a web browser.
Simulates a user opening the Word document (.doc).
Entices a user to accept security prompts to enable macros.
Simulates a user closing the Word document, triggering the execution of the Document_Close event macro procedure.
Creates a directory, from a VBA macro.
Writes a VBScript Encoded (.vbe) file to disk, from a VBA macro.
Creates an Excel.Application COM object from Word
Executes an Excel DDE via COM from Word
Uses Windows Command Shell (cmd.exe) to execute a file.
Executes a VBScript Encoded (.vbe) file.
Encoded data in double Base64 encoding, in a VBScript file.
Obfuscates VBScript strings using chr, in a VBScript file.
Creates a Microsoft.XMLDOM COM object from wscript.exe
Decodes Base64 encoded data using Microsoft.XMLDOM, from wscript.exe
Creates a Adodb.Stream COM object, from wscript.exe
Writes a DLL to disk using Adodb.Stream from wscript.exe.
Creates an Excel.Application COM object from wscript.exe
Executes an Excel DDE via COM from wscript.exe
Uses Windows Command Shell (cmd.exe) to create a process.
Executes a DLL using rundll32.exe.
Encrypted data in Resources (.rsrc) section
Obfuscates API function name strings by fragmenting strings
Obfuscates API function name strings by fragmenting strings
Performs Run-Time Dynamic Linking
Performs Run-Time Dynamic Linking
Accesses resource using LdrFindResource_U and LdrAccessResource
Allocates memory with execute, read, write permissions using VirtualAlloc
Decrypts shellcode using an XOR-based algorithm.
Loads a DLL from memory using Reflective Loading
Loads a DLL from memory using Reflective Loading
Loads a DLL from memory using Reflective Loading
Delays execution using the SetTimer Win32 API function.
Allocates memory with execute, read, write permissions using VirtualAlloc
Decrypts shellcode using an XOR-based algorithm.
Executes shellcode using the CreateThread Win32 API function.
Self-decrypts shellcode as shellcode is running
Bypasses user-land hooks by calling syscalls directly.
Injects code into a new wermgr.exe process using the Process Hollowing technique
Reaches out to Command & Control servers over HTTPS
Uses HTTPS over an alternate port
Nowhere, other than in Threat Simulator, can you find as comprehensive Breach and Attack Simulation that’s driven by real-world Threat Intelligence from the Application and Threat Intelligence Research Center.
Chuck Mcauley
Network Visibility + Security
Simulating Tricky Malware - Trickbot
2020-12-15 | 8 min read
Trickbot is a nasty and highly advanced malware technology being used for many different malicious objectives. Originally, Trickbot was used as a Banking Trojan and most recently we have seen Trickbot turned into a delivery mechanism for anything from a remote access toolkit (RAT), crypto-mining, intellectual property and data exfiltration, and ransomware (See CISA Alert). With our December Threat Simulator Endpoint update, we have included a detailed Trickbot Assessment. With this new Assessment, you can safely simulate Trickbot and determine your preparedness should you be hit with Trickbot or similar malware. Read on to learn more about how this crafty and malicious threat can compromise your network. We will publish more details in future blogs. If you want to know more now, you can sign up for a free trial of Threat Simulator. There you can read the details of the Assessment and learn how effective your security defenses are against Trickbot and many other threats impacting the cyber world.
Tricky Compromise Part 1 – Delivering a “Maldoc”
The diagram above shows the flow of an email coming in, could be a file download via HTTP as well, with a Microsoft Word document; this is known as a “Maldoc”. The end-user is tricked, or phished, into believing that the document is safe to open. Once opened, the process will begin, and the end-user is oblivious to the events that transpire behind the scenes as Trickbot plants itself firmly on to their system. Most would think that their Anti-Virus software would have identified the Word document as malicious, and most would be wrong. The Word document, and Excel execution that follows, does not get identified as malicious. Some would argue that they are not malicious since they don’t actually perform the malicious execution, they do however download packages that perform the malicious activities. In short, as of this blog, you should not expect Anti-Virus software to stop Maldoc’s. This is important, because we feel most people expect the Anti-Virus to prevent these Maldoc’s from being delivered and they don’t. Another case for security defense-in-depth.
One additional tidbit of information about the Maldoc; Trickbot attempts to avoid Sandbox technologies by only activating the macros when the Word document is closed. If someone were to try and detonate the MS Word document, nothing would happen until you close the document, and this effect would cause most automated sandbox’s to be evaded because they don’t close the Word document.
Tricky Part 2 – Use of Trusted System Applications
Another tricky aspect of Trickbot is how it utilizes trusted Windows applications to execute and evade security controls. Looking back at the diagram, going to the far bottom right, you see that “wermgr.exe” is used for external communications. This binary, “wermgr.exe”, is the MS Windows Error Reporting Manager and is used to send operating crash and bug reports to Microsoft. As you can see, this executable is used for communications with the Trickbot command and control infrastructure. The trickiest part of all, the “wermgr.exe” binary is not modified on disk, everything is done dynamically in memory without “wermgr.exe” being aware of any changes and the process still functions as expected.
A lot goes on between the download, opening, and then closing, of the Word document, and the “wermgr.exe” communications with Trickbot command and control. The part that allows Trickbot to cause “wermgr.exe” to perform its dirty deeds is known as Dynamic-Link Library (DLL) Injection. The nature of DLL is to be dynamic, allowing executable programs to be small in size and load functions as needed. Trickbot, and many other malwares, take full advantage of this technique; it is not new, but it is tricky!
Comprehensive Trickbot Simulation
In the Threat Simulator Assessment, you will find forty endpoint activities simulating everything that Trickbot does on a system. These are listed here:
Nowhere, other than in Threat Simulator, can you find as comprehensive Breach and Attack Simulation that’s driven by real-world Threat Intelligence from the Application and Threat Intelligence Research Center.
Related Content
Related Products
Threat Simulator
BreakingPoint
Research
TrickBot Detailed Analysis
Related Posts
Network Visibility + Security
Zero Trust Visibility
Gregory Copeland 2021.01.13
6 min read
#Cybersecurity
Network Visibility + Security
Sunburst: The SolarWinds Hack, How You Could be Affected, and How Keysight Can Help
Chuck Mcauley 2020.12.22
4 min read
#Cybersecurity
Network Visibility + Security
TrickBot: A Closer Look
Edsel Valle 2020.12.21
11 min read
#Cybersecurity