TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike

Use Case 

Falcon OverWatch has identified probable TrickBot malware on host NAOUXXXX. A renamed copy of Vhd2disk was executed on the host, likely from a successful phish. This in turn wrote and executed a malicious file, likely TrickBot malware, and established persistence for it with a registry key.

Introduction 

Emotet

Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities.

TrickBot

TrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing emails. Once TrickBot is installed, it will harvest various data, including passwords, files, and cookies, from a compromised computer and will then try spread laterally throughout a network to gather more data.

  • When done harvesting data on a network, TrickBot will open a reverse shell to the Ryuk operators.
  • The Ryuk Actors will then have access to the infected computer and begin to perform reconnaissance of the network. After gaining administrator credentials, they will deploy the ransomware on the network's devices using PowerShell Empire or PSExec.
  • These spam emails contain malicious documents that will install the Emotet trojan on the recipient's computer when opened and macros enabled.
  • Historically, once a user became infected with Emotet, the trojan would eventually download and install the TrickBot trojan on the infected computer.
  • Similar to Emotet, TrickBot is also referred to as a banking trojan and worm. It does a lot of similar activities to Emotet, for example constantly trying to spread to other computers and updating itself multiple times a day.

Ryuk 

Ryuk is a crypto-ransomware that blocks access to a system, device of a file by encrypting the information and its backups, including ones existing at third parties’ applications. Ryuk only decrypts the data once a ransom is paid according to what is written in the ransom note- a ‘RyukReadMe.txt’ place in every folder on the system.

Ryuk is usually dropped on the system by other malware. TrickBot is often used as Ryuk’s dropper. Ryuk can sometimes gain access to the system via Remote Desktop Services. Ryuk’s dropper contains both 32 and 64 bites modules of the ransomware. The dropper chooses the right module according to the process that’s currently running.

Detecting the dropper in the system is difficult since the main payload deletes it after the execution (as explained above). After deleting the dropper, the malware tries to stop any antivirus and anti-malware processes and services.

Combo : Emotet, TrickBot and Ryuk

  • This triple threat campaign initiates with a weaponized Microsoft Office document attached to a phishing campaign. The malicious code attached to the document executes a PowerShell command that attempts to download the Emotet payload. Once it succeeded, Emotet infects and gathers information on the affected machine.
  • It also initiates the download and execution of TrickBot Trojan from a remote C2 server that it communicates with.
  • When TrickBot executes, it creates an installation folder containing a copy of Ryuk malware, encrypted malicious modules, and their configuration files. 
  • TrickBot also creates a scheduled task and a service to ensure persistence.
  • In addition to stealing information using TrickBot, the attackers check if the target machine is a qualified target. If so, they download the Ryuk ransomware payload and use admin credentials stolen by TrickBot to move laterally in the network and search for assets worth to infect. Once they are found, the main Ryuk payload injects itself into multiple processes and achieves persistence by using the registry.

Anatomy Of Attack

IOC : 

Description: Falcon Overwatch has identified malicious activity of significant concern. This has been raised for immediate action and should be investigated promptly. Malicious file execution beneath renamed Vhd2disk executable with persistence and reconnaissance on host.

Customer ID: a05458201d2e49fdac278abbca87cd1d
Host name: NAOUXXXX
File name: Preview.exe
File path: \Device\HarddiskVolume4\Users\Kxxxe.Bxxxn\Downloads\Preview.exe
Command line: "C:\Users\Kxxxe.Bxxxn\Downloads\Preview.exe" 
SHA 256: e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e
MD5 Hash data: 9f00d78f2e8e4523773a264f85be1c02
Platform: Windows
IP address: 82.146.37[.]128
User name: BXXXX\Kxxxe.Bxxxn
Detected: Sep. 10, 2020 00:32:42 local time, (2020-09-09 19:02:42 UTC)
Last behavior: Sep. 10, 2020 00:32:42 local time, (2020-09-09 19:02:42 UTC)
AV Detections 29 / 67 Positives

In this case, We Investigate using (EDR) Falcon Crowdstrike : 


CrowdStrike is a leader in cloud-delivered endpoint protection. Leveraging artificial intelligence (AI), the CrowdStrike Falcon® platform offers instant visibility and protection across the enterprise and prevents attacks on endpoints on or off the network. CrowdStrike Falcon deploys in minutes to deliver real-time protection and actionable intelligence from Day One. It seamlessly unifies next-generation AV with best-in-class endpoint detection and response, backed by 24/7 managed hunting. Its cloud infrastructure and single-agent architecture take away complexity and add scalability, manageability, and speed.

Let's Explore the Process Tree First : 

As shown in the Above figure the Process Execution flow as Follows: 
  • Explorer.exe
  • Chrome.exe
  • Preview.exe
  • jdkugodvft.exe
  • Explorer.exe
  • Net.exe
Falcon Overwatch Detected time and the Run Period of a malware as shown in below figure: 

Stages of Cyber Attack : 

1)     Delivery : 

The first stage of the attack starts with a weaponized Microsoft Office document attached to a phishing email. This file contains a malicious, [URL/macro-based code] Url in our case. Once the user opens the document and upon clicking malicious Url will attempts to download the Emotet payload:

Effective URL:  hxxps://u183697[.]ct.sendgrid[.]net/ls/click?upn=Vy3Dyu88bCb-2Fh2TIVF6HkZUPICsbgggoZ9mri2-2BAifVYqpeuWlrmZn1moPtNBjPLE83X58Jh8eibnnjXet8TlN7N-2FMX1wX5uPOHNxwKbDvzC5it94-2FXJp6E81JKrhWxbYrY9V-2FsOdAODHSEM5KRe-2FO4NQ-2FCfeoP3Dtf463y-2F-2BmvZMQxo-2FrGNGvZBERE9HmSUh9ry_KO-2FdfQjnuXKBDGEGVSydXEoDVDmiFC0zpUss7260NgKXXh7RALVkxz8FgepbZAwFzXqHAT-2FFTrxNCUlPbHChzH5TMu-2F4HQOuqJcg-2BGDbCkuNVeDzR6xzF638uw-2B12UgIeZql4I9qm0Cva0-2BbnulV6sFRmtWPnn6Q5dM5yutxfe64aWicQwde0UHtL8VXZaDGw2jgCbqbMrmwa3SlE0J5Ag-3D-3D


Once TrickBot’s main payload is injected into the svchost.exe process, it carries out a series of reconnaissance-related tasks to profile the infected endpoint and the network. This information is crucial, as it determines the course of the attack which will discuss later in the blog.

2)     Exploitation : 

As soon as User Clicks on URL inside document, its gets redirected to Malicious Hosted Website or C2 servers(command & control servers) and Downloads the Payload: i.e 

Payload : Preview.exe

Fig : Network Operations

Malware : "Preview.exe" Automatically gets downloaded.
FILE: C:\Users\Kxxx.Bxxxn\Downloads\Preview.exe
HASH: e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e
NOTE: Renamed copy of the legitimate Vhd2disk tool, likely a result of a successful phish.

3)     Installation : 

Preview.exe spawns two subprocess "CMD.exe" and "jdkugodvft.exe", as shown in image below : 

Fig : Preview.exe - Process Tree

Cmd.exe spawns two sub-process : "Conhost.exe" and "Timeout.exe"

Disk2vhd Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft's Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs).

  • Timeout.exe 
Command Line : TIMEOUT /T 50 /NOBREAK

  • Conhost.exe
Command Line : \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1


Fig : Disk Operation

"jdkugodvft.exe": Probable TrickBot malware written and executed by Vhd2disk 

File Path: C:\Users\Kxxxe.Bxxxn\AppData\Local\Temp\jdkugodvft.exe
HASH: 42425000db2fc8a8fd185f79e394075a31c79704566ab223295d7cc1a0052978

Executable Activities : 

4)     Persistence : 

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. The adversary is trying to maintain their foothold.

      4.1)   Modifying ASEP Values 



      4.2)   Adding .lnk entry in windows Startup Directory

Command Line : 

cmd /c TIMEOUT /T 50 /NOBREAK && move "C:\Users\Kxxx~1.BRI\AppData\Local\Temp\gvhsjpwqjv" "C:\Users\Kxxx.Bxxxn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Control Panel.lnk"

     4.3)   Adding Log-on script in Group Policy.

GPscript.exe is responsible for triggering logon scripts when you define them in Group Policy. 
  • GPO scripts can be defined for user and started with GPScript.exe /Logon
  • Logon scripts do not show up in Autoruns.exe
  • GPscript.exe is responsible for triggering logon scripts when you define them in Group Policy. 
If you have anything defined in the Group policy (Local group policy – gpedit.msc) under logon scripts it will execute if you supply /logon to the binary. 

Process Execution :



  
GPScript.exe /logon : When you add a script the group policy editor writes to the following registry key location:

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts

Another cool thing that I discovered is that this technique this does not show up in autoruns.
You heard me right, user logon scripts do not show up in autoruns. 


5)    Reconnaissance Commands : 

Attacker was trying to Reconnaissance on network, In addition to several crafted PowerShell commands, the attackers use several legitimate Windows processes to gather information, including nltest.exe, net.exe, ipconfig.exe, whoami.exe, and nslookup.exe. 

executed commands as below:

  • net view /all
  • net view /all /domain
  • nltest /domain_trusts /all_trusts
  • net localgroup administrator
  • net group /domain admins
  • net1 localgroup administrator
  • net1 group /domain admins

How to defend against Trickbot

How to defend against Trickbot it is important to ensure a well-organized, multi-layered cybersecurity program is in place within your organization: 

  • Email and spam filters are critical in the case of Trickbot as this is the initial infection vector.
  • Perform regular updates and system hardening as Trickbot uses known Windows SMB exploits for propagation.
  • Restrict RDP/terminal services on all levels. Enforce best practice secure configuration:
    • limit connections.
    • limit devices redirection.
    • use network-level authentication and limit authentication types.
    • limit RDP groups and RDP user rights assignment authorizations.
  • Give employees regular phishing training and conduct regular awareness programs.
  • Employ strong password policies and use multi-factor authentication, such as Duo.
  • Ensure PowerShell logging and security by limiting and hardening PowerShell usage, logging trusted PowerShell processes and remove remote invoke.
  • Ensure updated EDR Solution placed inside the network like Crowdstrike etc.

Comments

Popular posts from this blog

RTR using Falcon Crowdstrike

Top Commands Mostly Used By System Administrator.

SECURITY OPERATION CENTRE

Damn Vulnerable Web Application - Part 1

Cyber Threat Intelligence

Collective Intelligence Framework v3 - Part 1

Top 20 Subdomains Search Engines

Collective Intelligence Framework v3 - Part 2

Security Architecture for Startup