Simulating Tricky Malware - Trickbot

Trickbot is a nasty and highly advanced malware technology being used for many different malicious objectives. Originally, Trickbot was used as a Banking Trojan and most recently we have seen Trickbot turned into a delivery mechanism for anything from a remote access toolkit (RAT), crypto-mining, intellectual property and data exfiltration, and ransomware (See CISA Alert). With our December Threat Simulator Endpoint update, we have included a detailed Trickbot Assessment. With this new Assessment, you can safely simulate Trickbot and determine your preparedness should you be hit with Trickbot or similar malware. Read on to learn more about how this crafty and malicious threat can compromise your network. We will publish more details in future blogs. If you want to know more now, you can sign up for a free trial of Threat Simulator. There you can read the details of the Assessment and learn how effective your security defenses are against Trickbot and many other threats impacting the cyber world.

Tricky Compromise Part 1 – Delivering a “Maldoc”

The diagram above shows the flow of an email coming in, could be a file download via HTTP as well, with a Microsoft Word document; this is known as a “Maldoc”. The end-user is tricked, or phished, into believing that the document is safe to open. Once opened, the process will begin, and the end-user is oblivious to the events that transpire behind the scenes as Trickbot plants itself firmly on to their system. Most would think that their Anti-Virus software would have identified the Word document as malicious, and most would be wrong. The Word document, and Excel execution that follows, does not get identified as malicious. Some would argue that they are not malicious since they don’t actually perform the malicious execution, they do however download packages that perform the malicious activities. In short, as of this blog, you should not expect Anti-Virus software to stop Maldoc’s. This is important, because we feel most people expect the Anti-Virus to prevent these Maldoc’s from being delivered and they don’t. Another case for security defense-in-depth.

One additional tidbit of information about the Maldoc; Trickbot attempts to avoid Sandbox technologies by only activating the macros when the Word document is closed. If someone were to try and detonate the MS Word document, nothing would happen until you close the document, and this effect would cause most automated sandbox’s to be evaded because they don’t close the Word document.

Tricky Part 2 – Use of Trusted System Applications

Another tricky aspect of Trickbot is how it utilizes trusted Windows applications to execute and evade security controls. Looking back at the diagram, going to the far bottom right, you see that “wermgr.exe” is used for external communications. This binary, “wermgr.exe”, is the MS Windows Error Reporting Manager and is used to send operating crash and bug reports to Microsoft. As you can see, this executable is used for communications with the Trickbot command and control infrastructure. The trickiest part of all, the “wermgr.exe” binary is not modified on disk, everything is done dynamically in memory without “wermgr.exe” being aware of any changes and the process still functions as expected.

A lot goes on between the download, opening, and then closing, of the Word document, and the “wermgr.exe” communications with Trickbot command and control. The part that allows Trickbot to cause “wermgr.exe” to perform its dirty deeds is known as Dynamic-Link Library (DLL) Injection. The nature of DLL is to be dynamic, allowing executable programs to be small in size and load functions as needed. Trickbot, and many other malwares, take full advantage of this technique; it is not new, but it is tricky!

Comprehensive Trickbot Simulation

In the Threat Simulator Assessment, you will find forty endpoint activities simulating everything that Trickbot does on a system. These are listed here:

  1. Simulates a user downloading a Word document (.doc) with a web browser.
  2. Simulates a user opening the Word document (.doc).
  3. Entices a user to accept security prompts to enable macros.
  4. Simulates a user closing the Word document, triggering the execution of the Document_Close event macro procedure.
  5. Creates a directory, from a VBA macro.
  6. Writes a VBScript Encoded (.vbe) file to disk, from a VBA macro.
  7. Creates an Excel.Application COM object from Word
  8. Executes an Excel DDE via COM from Word
  9. Uses Windows Command Shell (cmd.exe) to execute a file.
  10. Executes a VBScript Encoded (.vbe) file.
  11. Encoded data in double Base64 encoding, in a VBScript file.
  12. Obfuscates VBScript strings using chr, in a VBScript file.
  13. Creates a Microsoft.XMLDOM COM object from wscript.exe
  14. Decodes Base64 encoded data using Microsoft.XMLDOM, from wscript.exe
  15. Creates a Adodb.Stream COM object, from wscript.exe
  16. Writes a DLL to disk using Adodb.Stream from wscript.exe.
  17. Creates an Excel.Application COM object from wscript.exe
  18. Executes an Excel DDE via COM from wscript.exe
  19. Uses Windows Command Shell (cmd.exe) to create a process.
  20. Executes a DLL using rundll32.exe.
  21. Encrypted data in Resources (.rsrc) section
  22. Obfuscates API function name strings by fragmenting strings
  23. Obfuscates API function name strings by fragmenting strings
  24. Performs Run-Time Dynamic Linking
  25. Performs Run-Time Dynamic Linking
  26. Accesses resource using LdrFindResource_U and LdrAccessResource
  27. Allocates memory with execute, read, write permissions using VirtualAlloc
  28. Decrypts shellcode using an XOR-based algorithm.
  29. Loads a DLL from memory using Reflective Loading
  30. Loads a DLL from memory using Reflective Loading
  31. Loads a DLL from memory using Reflective Loading
  32. Delays execution using the SetTimer Win32 API function.
  33. Allocates memory with execute, read, write permissions using VirtualAlloc
  34. Decrypts shellcode using an XOR-based algorithm.
  35. Executes shellcode using the CreateThread Win32 API function.
  36. Self-decrypts shellcode as shellcode is running
  37. Bypasses user-land hooks by calling syscalls directly.
  38. Injects code into a new wermgr.exe process using the Process Hollowing technique
  39. Reaches out to Command & Control servers over HTTPS
  40. Uses HTTPS over an alternate port

Nowhere, other than in Threat Simulator, can you find as comprehensive Breach and Attack Simulation that’s driven by real-world Threat Intelligence from the Application and Threat Intelligence Research Center.