TrickBot Malware Family - A Deep Dive using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter

Use Case 

Falcon OverWatch has identified probable TrickBot malware on host NAOUXXXX. A renamed copy of Vhd2disk was executed on the host, likely from a successful phish. This in turn wrote and executed a malicious file, likely TrickBot malware, and established persistence for it with a registry key.

Introduction 

Emotet

Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities.

TrickBot

TrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing emails. Once TrickBot is installed, it will harvest various data, including passwords, files, and cookies, from a compromised computer and will then try spread laterally throughout a network to gather more data.

  • When done harvesting data on a network, TrickBot will open a reverse shell to the Ryuk operators.
  • The Ryuk Actors will then have access to the infected computer and begin to perform reconnaissance of the network. After gaining administrator credentials, they will deploy the ransomware on the network's devices using PowerShell Empire or PSExec.
  • These spam emails contain malicious documents that will install the Emotet trojan on the recipient's computer when opened and macros enabled.
  • Historically, once a user became infected with Emotet, the trojan would eventually download and install the TrickBot trojan on the infected computer.
  • Similar to Emotet, TrickBot is also referred to as a banking trojan and worm. It does a lot of similar activities to Emotet, for example constantly trying to spread to other computers and updating itself multiple times a day.

Ryuk 

Ryuk is a crypto-ransomware that blocks access to a system, device of a file by encrypting the information and its backups, including ones existing at third parties’ applications. Ryuk only decrypts the data once a ransom is paid according to what is written in the ransom note- a ‘RyukReadMe.txt’ place in every folder on the system.

Ryuk is usually dropped on the system by other malware. TrickBot is often used as Ryuk’s dropper. Ryuk can sometimes gain access to the system via Remote Desktop Services. Ryuk’s dropper contains both 32 and 64 bites modules of the ransomware. The dropper chooses the right module according to the process that’s currently running.

Detecting the dropper in the system is difficult since the main payload deletes it after the execution (as explained above). After deleting the dropper, the malware tries to stop any antivirus and anti-malware processes and services.

Combo : Emotet, TrickBot and Ryuk

  • This triple threat campaign initiates with a weaponized Microsoft Office document attached to a phishing campaign. The malicious code attached to the document executes a PowerShell command that attempts to download the Emotet payload. Once it succeeded, Emotet infects and gathers information on the affected machine.
  • It also initiates the download and execution of TrickBot Trojan from a remote C2 server that it communicates with.
  • When TrickBot executes, it creates an installation folder containing a copy of Ryuk malware, encrypted malicious modules, and their configuration files. 
  • TrickBot also creates a scheduled task and a service to ensure persistence.
  • In addition to stealing information using TrickBot, the attackers check if the target machine is a qualified target. If so, they download the Ryuk ransomware payload and use admin credentials stolen by TrickBot to move laterally in the network and search for assets worth to infect. Once they are found, the main Ryuk payload injects itself into multiple processes and achieves persistence by using the registry.

Anatomy Of Attack

IOC : 

Description: Falcon Overwatch has identified malicious activity of significant concern. This has been raised for immediate action and should be investigated promptly. Malicious file execution beneath renamed Vhd2disk executable with persistence and reconnaissance on host.

Customer ID: a05458201d2e49fdac278abbca87cd1d
Host name: NAOUXXXX
File name: Preview.exe
File path: \Device\HarddiskVolume4\Users\Kxxxe.Bxxxn\Downloads\Preview.exe
Command line: "C:\Users\Kxxxe.Bxxxn\Downloads\Preview.exe" 
SHA 256: e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e
MD5 Hash data: 9f00d78f2e8e4523773a264f85be1c02
Platform: Windows
IP address: 82.146.37[.]128
User name: BXXXX\Kxxxe.Bxxxn
Detected: Sep. 10, 2020 00:32:42 local time, (2020-09-09 19:02:42 UTC)
Last behavior: Sep. 10, 2020 00:32:42 local time, (2020-09-09 19:02:42 UTC)
AV Detections 29 / 67 Positives

In this case, We Investigate using (EDR) Falcon Crowdstrike : 


CrowdStrike is a leader in cloud-delivered endpoint protection. Leveraging artificial intelligence (AI), the CrowdStrike Falcon® platform offers instant visibility and protection across the enterprise and prevents attacks on endpoints on or off the network. CrowdStrike Falcon deploys in minutes to deliver real-time protection and actionable intelligence from Day One. It seamlessly unifies next-generation AV with best-in-class endpoint detection and response, backed by 24/7 managed hunting. Its cloud infrastructure and single-agent architecture take away complexity and add scalability, manageability, and speed.

Let's Explore the Process Tree First : 

As shown in the Above figure the Process Execution flow as Follows: 
  • Explorer.exe
  • Chrome.exe
  • Preview.exe
  • jdkugodvft.exe
  • Explorer.exe
  • Net.exe
Falcon Overwatch Detected time and the Run Period of a malware as shown in below figure: 

Stages of Cyber Attack : 

1)     Delivery : 

The first stage of the attack starts with a weaponized Microsoft Office document attached to a phishing email. This file contains a malicious, [URL/macro-based code] Url in our case. Once the user opens the document and upon clicking malicious Url will attempts to download the Emotet payload:

Effective URL:  hxxps://u183697[.]ct.sendgrid[.]net/ls/click?upn=Vy3Dyu88bCb-2Fh2TIVF6HkZUPICsbgggoZ9mri2-2BAifVYqpeuWlrmZn1moPtNBjPLE83X58Jh8eibnnjXet8TlN7N-2FMX1wX5uPOHNxwKbDvzC5it94-2FXJp6E81JKrhWxbYrY9V-2FsOdAODHSEM5KRe-2FO4NQ-2FCfeoP3Dtf463y-2F-2BmvZMQxo-2FrGNGvZBERE9HmSUh9ry_KO-2FdfQjnuXKBDGEGVSydXEoDVDmiFC0zpUss7260NgKXXh7RALVkxz8FgepbZAwFzXqHAT-2FFTrxNCUlPbHChzH5TMu-2F4HQOuqJcg-2BGDbCkuNVeDzR6xzF638uw-2B12UgIeZql4I9qm0Cva0-2BbnulV6sFRmtWPnn6Q5dM5yutxfe64aWicQwde0UHtL8VXZaDGw2jgCbqbMrmwa3SlE0J5Ag-3D-3D


Once TrickBot’s main payload is injected into the svchost.exe process, it carries out a series of reconnaissance-related tasks to profile the infected endpoint and the network. This information is crucial, as it determines the course of the attack which will discuss later in the blog.

2)     Exploitation : 

As soon as User Clicks on URL inside document, its gets redirected to Malicious Hosted Website or C2 servers(command & control servers) and Downloads the Payload: i.e 

Payload : Preview.exe

Fig : Network Operations

Malware : "Preview.exe" Automatically gets downloaded.
FILE: C:\Users\Kxxx.Bxxxn\Downloads\Preview.exe
HASH: e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e
NOTE: Renamed copy of the legitimate Vhd2disk tool, likely a result of a successful phish.

3)     Installation : 

Preview.exe spawns two subprocess "CMD.exe" and "jdkugodvft.exe", as shown in image below : 

Fig : Preview.exe - Process Tree

Cmd.exe spawns two sub-process : "Conhost.exe" and "Timeout.exe"

Disk2vhd Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft's Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs).

  • Timeout.exe 
Command Line : TIMEOUT /T 50 /NOBREAK

  • Conhost.exe
Command Line : \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1


Fig : Disk Operation

"jdkugodvft.exe": Probable TrickBot malware written and executed by Vhd2disk 

File Path: C:\Users\Kxxxe.Bxxxn\AppData\Local\Temp\jdkugodvft.exe
HASH: 42425000db2fc8a8fd185f79e394075a31c79704566ab223295d7cc1a0052978

Executable Activities : 

4)     Persistence : 

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. The adversary is trying to maintain their foothold.

      4.1)   Modifying ASEP Values 



      4.2)   Adding .lnk entry in windows Startup Directory

Command Line : 

cmd /c TIMEOUT /T 50 /NOBREAK && move "C:\Users\Kxxx~1.BRI\AppData\Local\Temp\gvhsjpwqjv" "C:\Users\Kxxx.Bxxxn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Control Panel.lnk"

     4.3)   Adding Log-on script in Group Policy.

GPscript.exe is responsible for triggering logon scripts when you define them in Group Policy. 
  • GPO scripts can be defined for user and started with GPScript.exe /Logon
  • Logon scripts do not show up in Autoruns.exe
  • GPscript.exe is responsible for triggering logon scripts when you define them in Group Policy. 
If you have anything defined in the Group policy (Local group policy – gpedit.msc) under logon scripts it will execute if you supply /logon to the binary. 

Process Execution :



  
GPScript.exe /logon : When you add a script the group policy editor writes to the following registry key location:

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts

Another cool thing that I discovered is that this technique this does not show up in autoruns.
You heard me right, user logon scripts do not show up in autoruns. 


5)    Reconnaissance Commands : 

Attacker was trying to Reconnaissance on network, In addition to several crafted PowerShell commands, the attackers use several legitimate Windows processes to gather information, including nltest.exe, net.exe, ipconfig.exe, whoami.exe, and nslookup.exe. 

executed commands as below:

  • net view /all
  • net view /all /domain
  • nltest /domain_trusts /all_trusts
  • net localgroup administrator
  • net group /domain admins
  • net1 localgroup administrator
  • net1 group /domain admins

How to defend against Trickbot

How to defend against Trickbot it is important to ensure a well-organized, multi-layered cybersecurity program is in place within your organization: 

  • Email and spam filters are critical in the case of Trickbot as this is the initial infection vector.
  • Perform regular updates and system hardening as Trickbot uses known Windows SMB exploits for propagation.
  • Restrict RDP/terminal services on all levels. Enforce best practice secure configuration:
    • limit connections.
    • limit devices redirection.
    • use network-level authentication and limit authentication types.
    • limit RDP groups and RDP user rights assignment authorizations.
  • Give employees regular phishing training and conduct regular awareness programs.
  • Employ strong password policies and use multi-factor authentication, such as Duo.
  • Ensure PowerShell logging and security by limiting and hardening PowerShell usage, logging trusted PowerShell processes and remove remote invoke.
  • Ensure updated EDR Solution placed inside the network like Crowdstrike etc.

I am a security researcher where my expertize includes domains like incident response and investigation, Malware Analysis, Threat Hunting, deception Technology, Brand protection, SIEM configuration, Digital Forensics, Cyber Threat Intelligence, EDR, Network Security, Content Filtering, etc While working I had completed my Masters(2021) in Information security where I published a thesis on “Malware Analysis using machine Learning Ensemble” My goal is to share the knowledge with everyone with technologies, upcoming trends, various platforms and mainly Lock it down, protect it up, and block the hackers.

Comments

Post a Comment

Popular posts from this blog

RTR using Falcon Crowdstrike

By Kunal Patil, Senior Threat Hunter
Image
Real Time Response Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below. In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action. You can also connect to a host from Hosts > Host Management. Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
Read more

Top Commands Mostly Used By System Administrator.

By Kunal Patil, Senior Threat Hunter
Image
Top Commands Mostly Used By System Administrator. 1) IPconfig IPCONFIG Simply entering ipconfig at the command line will return basic addressing information for your system, including the adapter name, IP address, subnet mask, and default gateway. 2) IPconfig /all IPCONFIG/ALL Shows all networking information for the system, including host name, node type, adapter names, MAC addresses, DHCP lease information, etc. 3) Ping PING Ping command to verify that a host can be reached over the network. This command is useful for diagnosing host and network connectivity problems. The device sends a series of ICMP echo (ping) requests to a specified host and receives ICMP echo responses. 4) Ping "Website-name" PING TO WEBSITE   This above command used to find the IP address associated with The Specific Website. eg: 10.24.126.25 is the IP address for Website Intranet.indusind.com 5) Tracert "IP address" TRACE COMMAND Tracert comm
Read more

Damn Vulnerable Web Application - Part 1

By Kunal Patil, Senior Threat Hunter
Image
The Damn Vulnerable Web Application (DVWA) provides a PHP/MySQL web application that is damn vulnerable whose goal of being an intentionally vulnerable system for practice/teaching purposes in regard to Information Security.There are many Methods for Installing DVWA on Platforms Like Windows and Linux, In this blog i will show the easiest Walk-through for Beginners to Learn and Exploit Web Application. So let us Start with Installation and Implementation of DVWA. Step By Step Installation 1) Requirement :  Windows system for Managing VM Virtual Box ( Link ) or VMware ( Link ) should be installed on system Kali-ISO ( Link ) DVWA ISO ( Link ) 2) Switch-ON Kali and DVWA virtual machines Both must be in HOST only Adapter (we can change using VM Network setting).  3) After the Installation of Kali and DVWA in VM, find the IP address of DWVA using the Command ifconfig and Check Connectivity between them using ping command. 4) Run Kali machine and DVWA machine Par
Read more

SECURITY OPERATION CENTRE

By Kunal Patil, Senior Threat Hunter
Image
What is SOC?                    Security operations centers monitor and analyze activity on networks, servers, endpoints, databases, applications, websites, and other systems, looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported. SOC works with collaboration with People, Process and Technology.  SOC Architecture PEOPLE:                  The best way to think of a SOC is as a centralized team of people who provide threat monitoring, investigation, and response.  Larger SOCs employ a three-level analyst structure for handling security alerts generated by a security system or SIEM.  Level 1 analysts are responsible for real-time monitoring of security alerts, doing triage on them, and deciding whether an alert is serious enough to be escalated to a Level 2 analyst.  Level 1 analysts se
Read more

Cyber Threat Intelligence

By Kunal Patil, Senior Threat Hunter
Image
Gartner Definition:   Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.  To understand this term easily lets split the words and bring out meaning to it :  Cyber :  relating to or characteristic of the culture of computers, information technology, and virtual reality. Threat :  thing likely to cause damage or danger. Intelligence :  the ability to acquire and apply knowledge and skills.                 Cyber Threat intelligence helps Organisation to understands the risk of most common External threats. T hreat intelligence includes in-depth information about specific threats to help an organization protect itself from the types of attacks that could do them the most damage.  One of the proven methods to stay on top of attacks is to detect and
Read more

Collective Intelligence Framework v3 - Part 1

By Kunal Patil, Senior Threat Hunter
Image
Basic About CTI Cyber Threat intelligence(CTI) is a Technology which helps an Organization to collect and Analyze threat data received from multiple resources. Cyber threat intelligence is an automation process where it accumulate data from various external resources (such as FEEDS) and recognize the threats suitable for the Organization. By importing the Data from CTI, the next step is to exporting the CTI data into Existing Security systems. Collective intelligence Framework is an underlying Structure of CTI which helps any organization to gather all Threat Data at one place. In this blog we are discussing how to Install Collective Intelligence Framework v3 (Bearded Avenger) into security structure. Details Information About CIF you will found at : csirtgadgets Basic Requirements for Bearded Avenger CIF v3 : OS: Ubuntu 16 LTS,  x64 RAM: 16GB Cores: 4 (As Sqlite, ElasticSearch, CIF-Router among other apps would be running on same instance) HDD Capacity: 100GB
Read more

Top 20 Subdomains Search Engines

By Kunal Patil, Senior Threat Hunter
Image
Whats is Domain?  An organization shares a common suffix as Domain names which is controlled by that Organization or individual. What is Subdomains? Basically Subdomains are subdivisions of Domain. Why it is required? Subdomains are second website, which have its own unique content and makes hosting manageable and easy to organize.         Every second Organization Consists of various Subdomains as per their Requirements, I listed few Subdomains Search Engines, list is below :  Google Search - Online Search Censys - Online Search Pentest-Tools - Online Search DNS Dumpster - Online Search Netcraft - Online Search CloudPiercer - Online Search Detectify - Online Search VirusTotal - Online Search Pkey - Online Search Crt.sh - Online Search Sublist3r - GitHub repository DNScan - GitHub Repository Knock - GitHub Repository SubBrute - GitHub Repository Nmap - GitHub Repository Gobuster - GitHub Repository Fierce - Bydefault in Kali DNS
Read more

Collective Intelligence Framework v3 - Part 2

By Kunal Patil, Senior Threat Hunter
Image
In Previous blog we learned how to setup CIFv3, in this section we will discuss how to integrate data and filter the Resulted Data by-passing different parameters to it. We might have question that what happens exactly after hitting cif command or how cifv3 fetches feeds from external resources. well in this blog i will cover every details of CIFv3 but before that lets study few terminologies to understands the implementation of this Project. CIFv3 uses few Terminologies like : 1) TLP TLP stands for Traffic Light Protocol originally created by UK government for the Purpose of sharing of sensitive data. There are four colors in TLP (same like traffic lights) : RED - Not for disclosure, restricted to participants only AMBER - Limited disclosure, restricted within own organisation and clients or customers. GREEN -  Limited disclosure, restricted to the community but not via public channels WHITE - Disclosure is not limited 2) Timestamps CIF supports three Times
Read more

Security Architecture for Startup

By Kunal Patil, Senior Threat Hunter
Image
           Security Architecture is the design artifacts that describes how the security controls are positioned and how they relate to the overall systems architecture. These controls serve the Purpose to maintain the system's quality attributes such as confidentiality, integrity and availability. Following is the 10 steps plan required to build Security Architecture For Startup :   Pick Your battle  Establish a security culture  Pick security platform  Upgrade your software  Physical security  Control the internal network  Secure coding  Protect devices against malware  Perform security audits  BYOD Policies Pick Your Battle You can't secure everything, Quantify the monetory damage, likelyhood and mitigation cost of each threat to prioritize time and resource. Below are the list of threats which can taken into consideration as per Goal of the Industry (Budget + Risks). Establish a Security Culture Show Your team that Security is Important Factor
Read more