In November 2018, we covered a Trickbot variant that came with a password-grabbing module, which allowed it to steal credentials from numerous applications. In January 2019, we saw Trickbot (detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.AD) with new capabilities added to its already extensive bag of tricks. Its authors clearly aren't done updating Trickbot — we recently found a new variant that uses an updated version of the pwgrab module that lets it grab remote application credentials.
Infection Chain
Figure 1. Infection chain for the malware
Technical Analysis
The malware arrives via an email disguised as a tax incentive notification from a major financial services company. This email includes a macro enabled (XLSM) Microsoft Excel spreadsheet attachment (detected as Trojan.W97M.MERETAM.A) that purportedly contains the details of the tax incentive. However, as these attachments usually go, this macro is malicious and will download and deploy Trickbot on the user’s machine once activated.
Figure 2. The spam email containing the malicious macro-enabled attachment.
Figure 3. Screenshot of the attached spreadsheet document
This Trickbot variant is largely similar to the variant we discovered in November. However, the 2019 version adds three new functions, one each for the Virtual Network Computing (VNC), PuTTY, and Remote Desktop Protocol (RDP) platforms.
Figure 4. Comparison of the pwgrab modules from November 2018 (top) and January 2019 (bottom). Note the added functions in the code.
Figure 5. C&C traffic with the RDP credentials being sent.
One of the techniques enforced by these new functions encrypts the strings it uses via simple variants of XOR or SUB routines.
Figure 6. XOR routine (top) and SUB routine (bottom) string encryption.
It also makes use of API hashes for indirect API calling, which was prominently attributed to the Carberp trojan source code leak from 2013.
Figure 7. API hashing artifact from the Carberp Source Code.
VNC
To grab VNC credentials, the pwgrab module searches for files using the “*.vnc.lnk” affix that are located in the following directories:
- %APPDATA%\Microsoft\Windows\Recent
- %USERPROFILE%\Documents, %USERPROFILE%\Downloads
The stolen information includes the target machine's hostname, port, and the proxy settings.
Figure 8. Screenshot of how pwgrab locates “.vnc.lnk” files on the %USERPROFILE%\Downloads directory.
The module will send the required data via POST, which is configured through a downloaded configuration file using the filename “dpost.” This file contains a list of command-and-control (C&C) servers that will receive the exfiltrated data from the victim.
Figure 9. Stolen Information being exfiltrated to the C&C server.
PuTTY
To retrieve the PuTTY credentials, it queries the registry key Software\SimonTatham\Putty\Sessions to identify the saved connection settings, which allows the module to retrieve information such as the Hostname and Username, and Private Key Files used for authentication.
Figure 10. Registry traversal for Putty data exfiltration (left), code showing hostname, username and Private Key Files (right).
RDP
Its third function related to RDP uses the CredEnumerateA API to identify and steal saved credentials. It then parses the string “target=TERMSRV” to identify the hostname, username, and password saved per RDP credential.
Recommendations
These new additions to the already “tricky” Trickbot show one strategy that many authors use to improve the capabilities of their creations: gradual evolution of existing malware. While this new variant is not groundbreaking in terms of what it can do, it proves that the groups or individuals behind Trickbot are not resting on their laurels and continuously improve it, making an already-dangerous malware even more effective.
Fortunately, users can nip these attacks in the bud simply by following the best practices against spam. This includes being aware of the main characteristics of a spam email, such as a suspicious sender address and multiple grammatical errors. We also recommended that users refrain from opening email attachments unless they are sure that it is from a legitimate source.
Trend Micro solutions
The following Trend Micro solutions, powered by XGen™ security, protect systems from all types of threats, including malware such as Trickbot:
- Trend Micro™ Security
- Smart Protection Suites and Worry-Free™ Business Security
- Trend Micro Network Defense
Indicators of Compromise (IOCs)
Trickbot (Detected as TrojanSpy.Win32.TRICKBOT.AZ)
- 374ef83de2b254c4970b830bb93a1dd79955945d24b824a0b35636e14355fe05
Trickbot (Detected as Trojan.Win32.MERETAM.AD)
- Fcfb911e57e71174a31eae79433f12c73f72b7e6d088f2f35125cfdf10d2e1af