Last Updated: 2020-03-18 01:22:44 UTC
by Brad Duncan (Version: 1)
Trickbot is an information stealer/banking malware that uses modules to perform different functions. With Windows 10, these modules are loaded into memory, and we only see initial Trickbot binary and a text-based configuration file stored on the infected Windows 10 host.
Access to Trickbot-infected hosts is granted to other criminals groups to distribute other malware like Ryuk ransomware. This sort of follow-up malware has previously been noted in conjunction with Powershell Empire traffic and/or Cobalt Strike activity on a Trickbot-infected host.
But today's diary focuses on one of the distribution methods for the initial Trickbot infection.
Last month on 2020-02-25, I ran across an example of Trickbot (gtag red4) distributed as a Windows DLL file. Normally, I see Trickbot distributed as an Windows EXE. 2020-02-25 was the first time I personally saw Trickbot distributed and made persistent as a DLL.
On Tuesday 2020-03-17, I ran across another example of Trickbot as a DLL. This time, it was gtag red5, and I've documented the occasion in today's ISC diary.
Of note, a Trickbot sample's "gtag" indicates its specific method of distribution. The "red" series gtag has been noted with Trickbot as a DLL file distributed using a JSE downloader. The image below shows a flow chart for my infection on Tuesday 2020-03-17.
Images from the infection
Indicators of Compromise (IoCs)
Traffic from an infected Windows host:
JSE loader traffic:
- 185.216.35[.]10 port 443 - HTTPS/SSL/TLS traffic
Trickbot infection traffic:
- port 80 - api.ipify[.]org - GET / [ip address check by the infected host, not inherently malicious]
- 51.254.164[.]245 port 443 - HTTPS/SSL/TLS traffic
- 146.185.253[.]176 port 447 - HTTPS/SSL/TLS traffic
- 181.129.104[.]139 port 449 - HTTPS/SSL/TLS traffic
- 46.4.167[.]250 port 447 - attempted TCP connections but no response from the server
- 64.44.51[.]113 port 447 - attempted TCP connections but no response from the server
- 203.176.135[.]102 port 8082 - 203.176.135[.]102:8082 - POST /red5/[host name]_[windows version].[32-digit hex string in ASCII]/90
- 203.176.135[.]102 port 8082 - 203.176.135[.]102:8082 - POST /red5/[host name]_[windows version].[32-digit hex string in ASCII]/81/
- 51.89.115[.]101 port 80 - 51.89.115[.]101 - GET /images/cursor.png
- 51.89.115[.]101 port 80 - 51.89.115[.]101 - GET /images/imgpaper.png
Malware/artifacts from an infected Windows host
- File size: 270,883 bytes
- File name: Info_17033267714.doc
- File description: Word doc with macro for JSE downloader
- File size: 49 bytes
- File location: C:\netstats\PressTableList.cmd
- File description: CMD script to run PressTableList.jse
- File content: cscript //nologo c:\netstats\PressTableList.jse
- Note: Not malicious by itself
- File size: 356,006 bytes
- File location: C:\netstats\PressTableList.jse
- File description: JSE-style malware downloader
- File size: 636,416 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\d26db78fApo6057.pif
- File location: C:\Users\[username]\AppData\Roaming\ElAts\rzd26db78fApo6057nn.vgy
- File description: DLL file retrieved by JSE-style downloader, this is Trickbot gtag red5
- File size: 20,541 bytes
- File location: C:\Users\[username]\AppData\Roaming\ElAts\settings.ini
- File description: Configuration/settings file used by Trickbot, different file hash and content for each infection. This is not inherently malicious on its own.
- File size: 696,371 bytes
- File location: hxxp://51.89.115[.]101/images/cursor.png
- File description: Follow-up Trickbot EXE (gtag: tot698) returned from URL ending in .png
- File size: 696,371 bytes
- File location: hxxp://51.89.115[.]101/images/imgpaper.png
- File description: Follow-up Trickbot EXE (gtag: lib698) returned from URL ending in .png
A pcap of the infection traffic along with the associated malware can be found here.
brad [at] malware-traffic-analysis.net