Enable browser cookies for improved site capabilities and performance.
Toggle Menu
Insights > Network Visibility + Security
Related Tags
- #Cloud
- #Packet Brokers
- #Performance Monitoring
- #Cybersecurity
- #Network Security
- #Network Visibility
- #Network Analyzers
- #Data Privacy
- #Software
- #CloudLens
- #Network Taps
- #Cloud Test
- #Test Automation
- #Network Test
- #SDN + NFV
- #Internet of Things
- #Industry Trends
- #Bypass Switches
- #Government
- #Healthcare
- #Data Center Infrastructure
- #Hawkeye
- © Keysight Technologies 2000–2023
Chuck Mcauley
Network Visibility + Security
Simulating Tricky Malware - Trickbot
2020-12-15 | 8 min read
Trickbot is a nasty and highly advanced malware technology being used for many different malicious objectives. Originally, Trickbot was used as a Banking Trojan and most recently we have seen Trickbot turned into a delivery mechanism for anything from a remote access toolkit (RAT), crypto-mining, intellectual property and data exfiltration, and ransomware (See CISA Alert). With our December Threat Simulator Endpoint update, we have included a detailed Trickbot Assessment. With this new Assessment, you can safely simulate Trickbot and determine your preparedness should you be hit with Trickbot or similar malware. Read on to learn more about how this crafty and malicious threat can compromise your network. We will publish more details in future blogs. If you want to know more now, you can sign up for a free trial of Threat Simulator. There you can read the details of the Assessment and learn how effective your security defenses are against Trickbot and many other threats impacting the cyber world.
Tricky Compromise Part 1 – Delivering a “Maldoc”
The diagram above shows the flow of an email coming in, could be a file download via HTTP as well, with a Microsoft Word document; this is known as a “Maldoc”. The end-user is tricked, or phished, into believing that the document is safe to open. Once opened, the process will begin, and the end-user is oblivious to the events that transpire behind the scenes as Trickbot plants itself firmly on to their system. Most would think that their Anti-Virus software would have identified the Word document as malicious, and most would be wrong. The Word document, and Excel execution that follows, does not get identified as malicious. Some would argue that they are not malicious since they don’t actually perform the malicious execution, they do however download packages that perform the malicious activities. In short, as of this blog, you should not expect Anti-Virus software to stop Maldoc’s. This is important, because we feel most people expect the Anti-Virus to prevent these Maldoc’s from being delivered and they don’t. Another case for security defense-in-depth.
One additional tidbit of information about the Maldoc; Trickbot attempts to avoid Sandbox technologies by only activating the macros when the Word document is closed. If someone were to try and detonate the MS Word document, nothing would happen until you close the document, and this effect would cause most automated sandbox’s to be evaded because they don’t close the Word document.
Tricky Part 2 – Use of Trusted System Applications
Another tricky aspect of Trickbot is how it utilizes trusted Windows applications to execute and evade security controls. Looking back at the diagram, going to the far bottom right, you see that “wermgr.exe” is used for external communications. This binary, “wermgr.exe”, is the MS Windows Error Reporting Manager and is used to send operating crash and bug reports to Microsoft. As you can see, this executable is used for communications with the Trickbot command and control infrastructure. The trickiest part of all, the “wermgr.exe” binary is not modified on disk, everything is done dynamically in memory without “wermgr.exe” being aware of any changes and the process still functions as expected.
A lot goes on between the download, opening, and then closing, of the Word document, and the “wermgr.exe” communications with Trickbot command and control. The part that allows Trickbot to cause “wermgr.exe” to perform its dirty deeds is known as Dynamic-Link Library (DLL) Injection. The nature of DLL is to be dynamic, allowing executable programs to be small in size and load functions as needed. Trickbot, and many other malwares, take full advantage of this technique; it is not new, but it is tricky!
Comprehensive Trickbot Simulation
In the Threat Simulator Assessment, you will find forty endpoint activities simulating everything that Trickbot does on a system. These are listed here:
Nowhere, other than in Threat Simulator, can you find as comprehensive Breach and Attack Simulation that’s driven by real-world Threat Intelligence from the Application and Threat Intelligence Research Center.
Related Content
Related Products
Threat Simulator
BreakingPoint
Research
TrickBot Detailed Analysis
Related Posts
Simulation + Design
The World of Possible What-Ifs: Exploring the Limitless Potential for Digital Twin Technology
Jenn Mullen 2023.01.27
10 min read
#Industry Trends #Network Security #Design + Automation #STEM
Insights
Is AI Improving Cell Service? Short Answer: Yes
Jenn Mullen 2023.01.16
9 min read
#Industry Trends #5G #Network Security #Data Analytics
Network Visibility + Security
A Golfer’s Guide to Not Buying Security
Bob DuCharme 2023.01.10
4 min read
#Network Security #Cybersecurity #Software