Check Point Research (CPR) warned that TrickBot malware targeted customers of 60 financial and technology companies, with most located in the U.S.
The researchers discovered that TrickBot attacked high-profile victims to steal account credentials and sensitive data for maximum impact. They found that the malware implements various anti-analysis techniques to protect its logic from security researchers.
Consisting of 20 modules that are independently downloadable and executable, the “very selective” TrickBot malware can be executed on demand. Having evolved from a banking trojan, TrickBot became a leading malware and a sophisticated delivery system capable of deploying ransomware.
TrickBot successfully rebuilt its infrastructure after the October 2020 law enforcement takedown and became the preferred delivery system for Emotet botnet during its reconstruction effort. Judging from the telemetry data received by CPR, TrickBot has infected at least 140,000 devices in 16 months.
TrickBot malware anti-analysis and obfuscation features
The CPR team analyzed TrickBot malware code samples and discovered that TrickBot operators have updated the botnet with new anti-analysis features and anti-deobfuscation techniques.
“We not only see variants created based on more recently successful malware, but we even see threat actors use malware that is even twenty years old to generate new variants,” Saryu Nayyar, CEO and Founder at Gurucul, said. “As can be seen by Trickbot, even when a threat actor group is broken up, their legacy lives on to as other groups can inherit their tools, tactics, and procedures with their own modifications and improvements to evade current detection techniques.”
CPR researchers focused on three TrickBot malware modules, injectDll, tabDll, and pwgrabc, used in web injection, network propagation, and credential harvesting.
“Modular malware is nothing new,” Tessa Mishoe, Senior Threat Analyst at LogicHub, said. “We used to see remote access trojans in the early days of the Internet that would call home and contain a whole suite of features that would then be leveraged for a variety of attacks. What makes Trickbot so interesting is effort – while many forms of malware prey on the lowest common denominator of targets, Trickbot is going straight for high-value targets.”
According to the researchers, the injectDll module is responsible for browser data injection targeting customers of 60 high-profile companies in the financial and technology sectors. InjectDll also features anti-analysis techniques, is minified disguised as ‘jquery-3.5.1.min.js’, obfuscated, and contains anti-de-obfuscation features.
The module creates a URL from regular expressions, with the result matching the obfuscated code. However, the module blocks researchers’ IP addresses if they try to access an non-existent endpoint on the command-and-control (C2) server.
Additionally, the module applies anti-deobfuscation techniques that stop the code from working once it becomes human-readable.
Similarly, the injectDLL module prevents a researcher from sending automated requests to command-and-control servers by checking the “Referer” header, refusing to send a valid web-inject payload if the header is invalid or missing.
“Web-injects cause a lot of harm to victims because such modules steal banking and credential data and could cause great financial damage via wire transfers. Add TrickBot’s cherry-picking of victims, and the menace becomes even more dangerous,” they wrote.
The second TrickBot malware module, tabDLL, steals users’ credentials and spreads the malware through the network in several steps.
Firstly, the tabDLL module enables storing of user credentials in the LSASS application. It then injects the ‘Locker’ module into the “explorer.exe” application, forces users to enter their credentials into the application, and locks the session. It uses the mimikatz technique to grab the credentials from the LSASS application. The tabDLL module finally leverages the EternalRomance exploit to propagate through the eSMBv1 network share.
“Trickbot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause greater damage,” the researchers posited.
Lastly, the pwgrabc module is a credential stealer targeting different applications such as Chrome, Chrome Beta, Firefox, Edge, Edge Beta, Internet Explorer, Filezilla, Outlook, VNC, Teamviewer, AnyConnect, OpenVPN, OpenSSH, Putty, Git, Precious, RDP, RDCMan, KeePass, and WinSCP.
Checkpoint researchers published a TrickBot malware’s indicators of compromise (IoC), the list of targeted companies and applications, and the code analysis of the new TrickBot malware variant.
High-profile victims erodes customer trust
Current victims include traditional financial institutions like JPMorgan Chase, cryptocurrency firms like Blockchain.com, and technology companies like Microsoft and Google. Others include American Express, Citi, Chase, Capital One, PayPal, Amazon, and others.
“With a recognized brand comes a level of trust, even if we are not consciously aware of it; and these bad actors have no problem exploiting this,” Erich Kron, Security Awareness Advocate at KnowBe4, said. “While these brands do work hard to protect their reputation, there is little they can do to completely stop a bad actor from using their name, and the associated trust or familiarity, to launch these attacks.”
However, Felix Rosbach, Product Manager at comforte AG, says that TrickBot malware attacks could be perceived as companies’ failure to protect their customers.
“From a customer perspective – even with those brands not being able to protect their customers against it – it might be perceived as an organization’s fault,” Rosbach continued. “This brings up the importance of cybersecurity awareness programs for end-users and customers, which usually goes beyond the typical employee awareness budget – but can be highly beneficial. More and more customers care about how an organization deals with cybersecurity, and if they do their best to protect their personal information and assets.”
The researchers described TrickBot malware developers as capable of developing low-level software systems and very attentive to small details.
“At the same time, we know that the operators behind the infrastructure are very experienced with malware development on a high-level as well,” Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software Technologies, said. “The combination of these two factors is what allows TrickBot to remain a dangerous threat for more than 5 years already. I strongly urge people to only open documents from trusted sources and to use different passwords on different websites.”