McAfee Labs Threat Advisory Trojan-Trickbot

October 9, 2019 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html. Summary Trojan-Trickbot is detection for a banking trojan that targets a wide array of international banks. It has the capabilities to do web injection, harvesting credentials, and distributing other malwares. Once a system is infected, it will decrypt and download several modules. Each module has a specific task, such as setting persistence, propagation, stealing credential, etc. Detailed information about the threat, its propagation, characteristics and mitigation are in the following sections:

• Infection and Propagation Vectors • Mitigation • Characteristics and Symptoms • Restart Mechanism • Remediation • McAfee Foundstone Services

The minimum DAT versions required for detection are:

Detection Name MD5 of samples DAT Version Date Trojan-Trickbot FD0E919939AB5F6293F7E276A1F2D087 3850 03-10-2019 Trojan-Trickbot 570D3E2882982ED179FD1D1016C16F16 3850 03-10-2019 Trojan-Trickbot F0FA3705BA8A508EDDD3AF859B757C8E 3850 03-10-2019

The Threat Intelligence Library contains the date that the above signatures were most recently updated. Please review the above-mentioned Threat Library for the most up-to-date coverage information. Infection and Propagation Vectors The Trickbot spreads by malicious spam campaigns and malicious document files. Once the Trickbot is installed on a system, it spreads across the network by exploiting Eternalblue vulnerabilities.

Mitigation Mitigating the threat at multiple levels such as file, registry, and URL could be achieved at various layers of McAfee products. Browse the product guidelines available here to mitigate the threats based on the behavior described below in the Characteristics and symptoms section. Refer to the following KB articles to configure Access Protection rules in VirusScan Enterprise:

• How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console • How to use wildcards when creating exclusions in VirusScan Enterprise 8.x

Trickbot usually creates a folder %AppData\cloudapp% and copies itself in this folder with the random name, such as:

• %AppData\cloudapp\FontProp1.exe Users can configure and test Access Protection Rules to restrict the creation of new files and folders when there are no other legitimate uses. Select New files being created and add the following file location in File or folder name to block:

• [OS installed drive]\[username]\Appdata\Roaming\CloudApp\ • [OS installed drive]\[username]\Appdata\Roaming\CloudApp\*.exe

File/Folder Access Protection rule for VSE:

1) VirusScan Console -> Access Protection -> User-Defined Rules -> New

2) Enter Rule Name, Process to include, File or Folder to block, File action to prevent, as shown below:

3) After you have saved your rule, select Block and Report or Report, as required, and Apply.

McAfee also recommends that you select the following: 1) Antivirus Standard Protection -> Prevent remote creation/modification of executable and configuration files

2) Antivirus outbreak control -> Make all shares read-only

McAfee Endpoint Security Mitigation methods for assorted malware is available in the following product guide. Any specific mitigation steps if necessary are described later in this advisory. http://b2b-download.mcafee.com/products/evaluation/Endpoint_Security/Evaluation/ens_1000_help_0-00_en-us.pdf EPO

• To block the access to USB drives through EPO DLP policy, refer to this tutorial.

ENS 10.x • Refer to article KB86577 to create an Endpoint Security Threat Prevention user-defined Access Protection

Rule for a file or folder registry

VSE • Refer to article KB53346 to use Access Protection policies in VirusScan Enterprise to protect against

viruses that can disable regedit. • Refer to article KB53355 to use Access Protection policies in VirusScan Enterprise to protect against

viruses that can disable Task Manager. • Refer to article KB53356 to use Access Protection policies in VirusScan Enterprise to prevent malware

from changing folder options. HIPS

• To blacklist applications using a Host Intrusion Prevention custom signature, refer to KB71329. • To create an application blocking rules policies to prevent the binary from running, refer to KB71794. • To create an application blocking rules policies that prevents a specific executable from hooking any other

executable, refer to KB71794. MRI

• To download and install McAfee Ransomware Interceptor, refer to McAfee Free Tools

Others

• To disable the Autorun feature on Windows remotely using Windows Group Policies, refer to this article from Microsoft.

Characteristics and Symptoms Trickbot on execution, creates a folder %AppData\cloudapp% and copies itself in this folder. Along with the self-copy, a Trickbot configuration file is also dropped in the same folder with the name “Settings.ini”. The “settings.ini” file contains a large amount of junk data; the actual Trickbot configuration is hidden within this junk data. Trickbot also creates another folder as %AppData\cloudapp\data%, where the further payloads and payload configuration files are downloaded from C&C server.

Fig-1. Trickbot path

A schedule task is created for the dropped self-copy of Trickbot executable file shown in Fig-1, which is executed when the schedule task is triggered.

Following is the schedule task for Trickbot:

Fig-2. Trickbot Schedule task

The schedule task created contains multiple triggers for the Trickbot executable.

Fig-3. Trickbot Schedule task triggers.

Fig-4. Trickbot Schedule task Action.

Once the dropped Trickbot sample is executed, it checks the machine architecture. If the machine is 32-bit, the encrypted data is decrypted containing 32-bit shellcode and IP addresses of the C&C server and starts communicating with them. If the machine is 64-bit architecture, then the Trickbot executable decrypts a 64-bit shellcode and injects in a new svchost.exe (%System32%\svchost.exe) using process hollowing. But, because the Trickbot main executable is a 32-bit executable, injecting 64-bit shellcode in 64-bit process and executing it is achieved using a well-known old technique called “Heaven’s Gate”. After injection, the Trickbot start is communication with the C&C servers. The below figure shows Trickbot communication with its C&C.

Fig-5. Trickbot C&C Communication

Below are the IP addresses found to be contacted by Trickbot:

Fig-6. Trickbot C&C IP-Addresses

Once the communication with the C&C is established, Trickbot then starts downloading the final payloads that are either 32-bit or 64-bit based on the infected system architecture. These payloads are downloaded in the %AppData\cloudapp\data% folder along with some related configuration files. All the downloaded payloads and configurations downloaded by Trickbot are AES encrypted. These payloads are then decrypted in memory and are injected in new svchost.exe process using the process hollowing technique.

The following images show the AES encrypted downloaded payloads in 32-bit and 64-bit architecture:

Fig-7 Payload 64-bit

Fig-8 Payload 32-bit

The below image shows the decrypted config file that contains a list of further IP addresses where the stolen information will be posted by the payloads:

Fig-9 Decrypted dpost config file

The payloads are decrypted in memory by main Trickbot executable and are injected in a new svchost.exe, where each payload is injected in separate svchost.exe process, all executing under the main Trickbot executable. All the malicious svchost.exe processes have the current directory set to the installation path of Trickbot executable as shown below:

Fig-10 Malicious svchost.exe

Trickbot downloads several different payloads with different capabilities explained below:

1. importDll64 / importDll32: Steals the browser data, cookies, browser configuration, history etc.

2. mshareDll64 / mshareDll32:

For lateral movement, this module uses SMB exploits. Also Uses LDAP for files and data enumeration.

3. mwormDll64 / mwormDll32: For lateral movement, this module uses SMB exploits. Also Uses LDAP for files and data enumeration.

4. psfin64 / psfin32: Point-of-sale module that steals financial details.

5. pwgrab64 / pwgrab32: Steals credentials, autofill data from browsers and other applications such as outlook etc.

6. systeminfo64 / systeminfo32: Collects system information and sends it to the C&C server.

7. tabDll64 / tabDll32:

Steals credentials and sometimes contains code for lateral movement.

Trickbot payload hashes:

Payload Hash importDll32 88384BA81A89F8000A124189ED69AF5C importDll64 B6C58EFF64E385312926AE27CBF14ED8 mshareDll32 34C4B4165A2B235E2CFC7ED93428F3BF mshareDll64 75E7D23FD4930C5E0E1EAD501D08DBAD mwormDll32 8C0EC2C28540AE1913B82DD3CCFC44D1 mwormDll64 BBBEE47857E597FF0B61794806A4FB40 psfin32 4FCE2DA754C9A1AC06AD11A46D215D23 psfin64 B2B50FE0B5CFCF6ADA8289C9317FA984 pwgrab32 C5E73D734B5B6C77F1AFD26EBDB9522E pwgrab64 7FAA8D17A9B7517E95725F8844C18292 systeminfo32 1451F98AEE7C17E0E12A95014CCA1432 systeminfo64 7564798CEA8EEAAC51F500F316F212A4 tabDll32 4B63526870EE0767F36DD343C3282D2D tabDll64 B91514BA9C7AED9D8A2C2625585CEEE4

Restart Mechanism Trickbot adds a schedule task to ensure its execution after system reboot. A schedule task is created for the Trickbot sample that is dropped in “%appdata%\cloudapp\”. The schedule task has the following two triggers:

1. At Startup 2. One time - (to execute the dropped sample for the first time)

This ensures the trickbot execution after reboot.

Remediation • The minimum V2 DAT versions required for detection is: 9339 • The minimum V3 DAT versions required for detection is: 3850 • Update patch MS17-010 (Microsoft guidance) to prevent Eternalblue exploitation.

Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risks and build effective solutions to remediate security vulnerabilities.

You can reach them here: https://www.mcafee.com/enterprise/en-us/services/foundstone-services.html

This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy, relevance, and timeliness of the information and events described; they are subject to change without notice.

Copyright 2019 McAfee, Inc. All rights reserved.