Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

TrickBot’s Bigger Bag of Tricks

0
0

By Noel Anthony Llimos and Carl Maverick Pascual

TrickBot continues to evolve as itadds more features to steal users’ credentials, the most recent development we published being thepwgrab32 module. Because of TrickBot’s modular capability, we found a newly addedPOS malware feature that makes this banking trojan more dangerous. The new module scans for indicators if an infected computer is connected to a network that supports POS services and machines.

We’re currently investigating how the malware authors could leverage this information, given that they have successfully infiltrated the network with POS-related services installed but stop short of getting specific data such as credit card, ATM or other banking-related information. It’s possible that the cyber actors are gathering information at this stage in preparation for future intrusions.

Analyzing module psfin32


TrickBot’s Bigger Bag of Tricks

Figure 1. TrickBot’s new module, psfin32

The new POS extraction module, psfin32, is similar to its predecessor network domain harvesting module, but modified solely to identify POS-related terms located in the domain of interest. Identifying the POS services in a network from domain controllers and basic accounts, this module still uses LDAP queries to access Active Directory Services (ADS) , which is responsible for storing information about objects on the network. This LDAP query searches for machines in the Global Catalog for dnsHostName containing the following substrings:

*POS* *LANE* *BOH* *TERM* *REG* *STORE* *ALOHA* *CASH* *RETAIL* *MICROS*
TrickBot’s Bigger Bag of Tricks

Figure 2. LDAP query substrings search


TrickBot’s Bigger Bag of Tricks

Figure 3. LDAP query machine search

If the query does not resolve any of the requested information, it also performs other queries for different accounts or objects in the network based on the following:

sAMAccountName : This is used to support legacy windows OS versions such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager
TrickBot’s Bigger Bag of Tricks

Figure 4. sAMAccountName user query


TrickBot’s Bigger Bag of Tricks

Figure 5.sAMAccountName group query

Site Name
TrickBot’s Bigger Bag of Tricks

Figure 6. Site name query

Organizational Unit (OU)
TrickBot’s Bigger Bag of Tricks

Figure 7. OU query

In addition to domain controllers, it also sends queries to computers with basic accounts or users in the network with UserAccountControl (UAC) 8192 .


TrickBot’s Bigger Bag of Tricks

Figure 8. Non-domain controller query

Once TrickBot has extracted the information, it stores the information to its pre-configured “Log” file to send to its C&C server Dpost server via POST connection. If the C&C server is not accessible, it would prompt “Dpost servers unavailable,” otherwise the prompt shows “Report successfully sent.”


TrickBot’s Bigger Bag of Tricks

Figure 9. C&C communication

Considering the module’s timing for deployment, the threat actors may be leveraging the holidays to gather information and distribution, especially after a similar entry by Brad Duncan published in ISC talked about a malspam campaign involving TrickBot macros targeting the United States. While the analyzed sample size of documents and URLs have since been inaccessible, users and businesses are cautioned against opening suspicious emails, files and attachments.

Defending against this threat: Trend Micro solutions

Given its modular feature, we can expect more changes from TrickBot to make it more challenging to detect and defend against. Users and businesses can defend themselves from banking trojans like TrickBot by using a multi-layered approach, especially given this busy season.

Trend Micro protects customers from all threats related to TrickBot.To protect enterprises and users from this malware, it is best to employ endpointapplication control that reduces attack and infiltration exposure byensuring only files, documents and updates associated with whitelisted applications and sites can be installed, downloaded, and viewed. Endpoint solutions such as Trend Micro Security , Trend Micro Smart ProtectionSuites ,and Trend MicroWorry-FreeBusiness Security can detect these malicious files to protect users’ systems.

Indicator of Compromise

SHA256

TrojanSpy.Win32.TRICKBOT.AL a9b00d12f7fa52209a8ead91bb595522effc0ab5e4dcfa02e0d145ae7ea1cb19


Viewing all articles
Browse latest Browse all 12749