TrickBot or Treat – Knocking on the Door and Trying to Enter

The FortiGuard SE Team discovered a particularly interesting targeted attack towards the end of August in Virus Total. The attack targeted a supplier for a distribution/logistics provider to a nation state. The email contained an attachment that appeared to have been sent by a company that manufactures and distributes electrical components and other parts, and has likely dealt at least once with the targeted organization via email.

After analyzing its email headers, we were able to determine that the malicious spam “legitimately” came from the actual sender. We say “legitimately” because the malicious spam email came from the actual email account of the user, but without their knowledge or consent. The originating IP address (at the time of publication) was not blacklisted, and appears to have been leased out to a residential user of a major ISP located in the same jurisdiction as the manufacturer’s official place of business.

Of course, this does not in any way implicate the sender as the bad actor behind this malicious email, as it is very likely that the victim’s machine had previously been compromised with Trickbot, which has now incorporated a spamming module. This spamming module harvests the victim’s address book during the course of infection and uses it to compile a list of email addresses to spam new victims, ultimately for self-propagation, data theft, and other malicious activities.

Analysis of the Attack

The targeted email was addressed to the employee in charge of acquisitions/purchasing. Interestingly, the targeted agency also appears to be exercising good email security habits, as shown below in Figure 1. In fact, the email comes with a specific warning that this email originated from outside the agency as an additional failsafe measure to remind users to be vigilant, especially when dealing with links or attachments. 

However, astute observers may recognize that this is actually part of the TrickBot spam, and they would be correct. The TrickBot authors may have gained email access to a legitimate vendor and targeted this agency using expected email standards to make the message seem more legitimate. In this attack, the TrickBot authors took this strategy even one step further in order to stay under the radar by abusing the tried and true method of hiding inside Alternate Data Streams (ADS).

The attached MS Office document contains a malicious macro that creates a script to be executed.

Unknown to the casual observer, as well as the potential victim, the content for the Alternate Data Stream (ADS) is hiding in plain sight within the document.

The authors simply chose to conceal the script by setting the font color to white. The TrickBot authors also obfuscated their JavaScript to the point that it had almost 9800 lines of code. After a combination of manual de-obfuscation and python magic, however, a clearer picture started to emerge.

After cleanup, the script was reduced to about 300 readable lines of code, which also happens to be fault-tolerant, utilizing many try-catch blocks. This script itself also performed its own reconnaissance activities. It used WMI to discover more information about the infected machine, such as the operating system (OS) version and language identifier. It also collected the computer system’s name, manufacturer, model, and current time zone, as well as the names and paths of processes running on the system.

Interestingly, the script also attempted to track processes that were terminated. However, this data was neither logged nor used. We can only surmise that this feature is for future development and may be incorporated at a later time.

Aside from collecting information, the script is also able to delay execution (to possibly avoid automated sandbox analysis) by running through numerous empty loops. It can also enumerate removable and network drives looking for specific filetypes. In this case, it looks for any files with the extensions .doc, .xls, .pdf, .rtf, .txt, .pub, and .odt. If these filetypes are found, the script replaces them with a copy of itself using the same filename, but replaced with a JavaScript extension. This way, it can propagate and infect other host machines inside the network, and possibly even outside, thereby creating further damage.

The script has self-updating capabilities and can also download and execute additional malware. Downloaded files may also be saved inside Alternate Data Streams, such as “in[random(10000)].txt:clause” in the temp directory. As an added step, the script can also check to see if the C2 server responds with custom headers in order to determine where to save downloaded files. In case the downloaded file is an executable, the script will use PowerShell to execute it.

The script then contacts the following C2 server:

       hxxps://185.180[.]199.91/angola/mabutu.php?pi=28h&tan=cezar&z=…&n=…&u=…&an=…

As noted previously by other researchers here and here, this tactic and domain is associated with TrickBot, and is allocated to a Russian webhost. However, the IP address is located in the United States, as is common with upstream resellers of hosting space.

Unfortunately, exhaustive analysis provided us with no useful intel from which we could glean information in order to attribute this latest attack to a known threat actor. We can only assume that the lack of information surrounding the IP address used by the attacker as a C2 highlights that this is a new campaign, as the infrastructure has not been reused, as determined by a passive DNS search.

Looking at our research telemetry, we saw a spike in users visiting this particular IP address around the same timeframe, thereby suggesting this was a new TrickBot spam run. This run accounted for over 20K hits per those telemetry reports, beginning on the day of the campaign’s first discovery, which was August 28th.

Based on our telemetry, many of the targets of the TrickBot spam campaign also reside in the United States (98%), with Poland and Germany a distant second and third at less than one percent respectively.

While the TrickBot authors seem proficient in their creation and use of various modules for their main piece of malware, they are also expanding and using even more techniques to stay under the radar. For example, they are not simply limiting themselves to solely improving their executable work, they are also polishing up on their delivery mechanisms. With the use of Alternate Data Streams, for example, they are reducing their chances of being caught. The term banking malware is a double edged sword, as Trickbot is also capable of stealing banking credentials and so much more, as this latest iteration proves.

Malware authors often target the lowest hanging fruit for the highest return on their investment. Rather than using sophisticated techniques, often times the easiest point of entry is usually due to human error, and attackers are aware of this; hence why malicious spam attacks are often successful even with various technological measures. As we are a month out from Halloween, the TrickBot campaigns see no signs of slowing down, and through examples like this, we see them giving themselves a viable opening and possible access to “knocking” on the doors of a governmental agency for further propagation.

Due to time constraints, we are providing unvetted, additional possible Trickbot hashes that may be related to this latest campaign that we have come across:

4778c0029aa6bac0cd15e7abdf043e2e
53b1707fcb83d3140106c4d5e919c2c5
07c05a2e0a98d89edd40703e34f6c5e1
2fc60f978bb24db0ebab24558a4f55e0
48eec534b053c1100c94659c9aae1a28
535036011305d70443d83d22d98c8872
1f2a02b06ff44b7298ffff17d2d184ac
47fbcb420379ce5ee458f4f62356007e
a8ea9522d54f966b5cd4fd7962ed01d9
1b562a3f7b4baaa4248792f0f671a027
d4ece05e85650febcf151cf8fddd28ab
341356d8a700e854cb6d75eec9be2d34
27c00158b3988e8f92c7834a10549c73
1cd6a793fd9cdb3787a87ad14301d240
23a9c8f71934b1c8825d7055541dce52
b48feb9f021ab87026a30b20918c8b56
b5798c32592444a90cb5abaf28a95026
a105d8a102a9632df1402d04bd4e1005
a6e2b85d40f5694d13c36f1a4ef2e151
eeb00168aebf9b3c0e5607cf271ddc23

ATT&CK TTP Summary

Initial Access

T1193: Spearphishing Attachment
T1195: Supply Chain Compromise
Email came from a known supplier
T1199: Trusted Relationship
Email came from a known supplier
T1078: Valid Accounts
Email came from a legitimate account.

Execution

T1086: PowerShell
Powershell wscript /E:Jscript [dropped Alternate Data Streams script from malicious macro]
Powershell Start-Process –NoNewWindow –FilePath [downloaded file]

T1064: Scripting
Malicious macro embedded in MS Office document
%CSIDL_STARTUP%normal.txt:$.$        (JavaScript ADS)

T1047: Windows Management Instrumentation
WMI Select * from Win32_OperatingSystem
WMI Select * from Win32_ComputerSystem
WMI Select * from Win32_Process
WMI Select * from Win32_ProcessStopTrace

Persistence

T1158: Hidden Files and Directories
%CSIDL_STARTUP%normal.txt:$.$        (JavaScript ADS)

Defense Evasion

T1027: Obfuscated Files or Information
%CSIDL_STARTUP%normal.txt:$.$        (obfuscated JavaScript ADS)

T1158: Hidden Files and Directories
%CSIDL_STARTUP%normal.txt:$.$        (JavaScript ADS)

T1064: Scripting
%CSIDL_STARTUP%normal.txt:$.$        (JavaScript ADS)

T1497: Virtualization/Sandbox Evasion
%CSIDL_STARTUP%normal.txt:$.$        (JavaScript ADS) utilizes a delay loop to avoid immediately executing its malicious payload

Discovery

T1057: Process Discovery
WMI Select * from Win32_Process

T1082: System Information Discovery
WMI Select * from Win32_OperatingSystem
WMI Select * from Win32_ComputerSystem

T1077: Network Share Discovery
Script logs any shared network drives

T1083: File and Directory Discovery
Script logs files with .DOC, .XLS, .PDF, .RTF, .TXT, .PUB, .ODT extensions stored in removable and network drives

Lateral Movement

T1091: Replication Through Removable Media
Replaces any .DOC, .XLS, .PDF, .RTF, .TXT, .PUB, .ODT with a copy of the malicious JavaScript on all removable and network drives

Collection

T1119: Automated Collection

WMI Select * from Win32_Process
WMI Select * from Win32_OperatingSystem
WMI Select * from Win32_ComputerSystem

Command and Control

T1043: Commonly Used Port

TCP:443 (HTTPS)T1105: Remote File Copy
Script may download updates of itself or other malware and save as file “%TEMP%in[1-10000].txt:clause”

T1071: Standard Application Layer Protocol

HTTPS

Exfiltration

T1020: Automated Exfiltration

May contact the following URI automatically after a delay of X seconds/minutes to exfiltrate data: hxxps://185.180.199.91/angola/mabutu.php?pi=…&tan=…&z=…&n=…&u=…&an=…

T1041: Exfiltration Over Command and Control Channel

Data is sent over the standard HTTPS connections

Impact

T1485: Data Destruction

Replaces any .DOC, .XLS, .PDF, .RTF, .TXT, .PUB, .ODT with a copy of the malicious JavaScript on all removable and network drives

Known Defenses and Mitigations

Initial Access: FortiMail or other mail solutions can be used to block specific file types such as this. FortiMail can also be configured to send attachments to our FortiSandbox solution (ATP), either on premises or in the cloud, to determine if a file displays malicious behavior. FortiGate firewalls with anti-virus enabled alongside a valid subscription are also able detect and block this threat if configured to do so.

Execution: User Awareness Training – Since it has been reported that this threat has been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of the various types of attacks delivered via social engineering. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by internal security departments within an organization. Simple user awareness training on how to spot emails with malicious attachments or links could stop the initial access into the network. If user awareness training fails and the user opens the attachment or link, FortiClient running the latest up-to-date virus signatures will detect and block this file and associated files.

The file(s) in this attack are currently being detected as: VBA/SDrop.5452!tr

Exfiltration & C&C: A FortiGate located at each of your ingress and egress points with its Web Filtering service enabled with up-to-date definitions, and/or Botnet Security enabled will detect and block any observable outbound connections if configured correctly.

It is important to note that as attacks continue to become more sophisticated they can sometimes circumvent your security defenses for a number of reasons. This is why it is important to ensure you also have the ability to detect anomalous activity that could be malicious.

Lastly, our Enterprise Bundle will address this as well as other attacks. Our Enterprise Bundle consolidates all the cybersecurity services you need to protect and defend against all cyberattack channels, from the endpoint to the cloud, including IoT devices, providing you with the integrated defense you need to tackle today’s advanced threats and address today’s challenging risk, compliance, management, visibility, and Operational Security (OT) concerns.

All network IOC’s in this report have been blacklisted by the FortiGuard Web Filtering service.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.

Fortigate is an enterprise network security appliance that works with Cloud Bare Metal. Contact us to find out our latest offers!

Comments are closed.

>