Trickbot has been around since 2016 – but a new variant of the infamous financial trojan has caught the eyes of researchers with a stealthy code-injection technique.
Researchers at Cyberbit this week said that they have found a new Trickbot iteration that features a sneaky method of performing process-hollowing using direct system calls, anti-analysis techniques and the disabling of security tools.
“Trickbot is constantly evolving, adopting new tricks and becoming stealthier,” said Cyberbit malware analyst Hod Gavriel in a blog post. “It still has some way to go since it didn’t implement all its process-hollowing function calls via direct system calls. To avoid being analyzed, it added some very simple and ineffective techniques such as sleep (for a long/short time) and useless function calls. To avoid detection, it disabled and deleted the Windows Defender service.”
Trickbot has made its mark as a trojan responsible for man-in-the-browser attacks since mid-2016. It includes modules for stealing data from browsers and Microsoft Outlook, locking the victim’s computer, system and network information gathering, and stealing domain credentials. It also targets victims for other malicious activities, such as cryptocurrency mining and ATO operations.
The latest variant of Trickbot is spreading via a widespread spam campaign, which uses malicious Word documents that include a macro code with a twist. The Cyberbit researchers first discovered the campaign last month targeting victims in the U.S. and Spain.
Interestingly, the infected document will not execute its macro until the user has both clicked “enable content” to enable execution of macros, and zoomed in or out of the document.
“Indeed, some users will open the document and will not be infected as they will not use the zoom function,” Gavriel told Threatpost. “This is clever tactic aiming to evade sandbox testing. A sandbox would investigate the file but very unlikely to activate the zoom function, in which case the file will appear legitimate.”
He added that using this tactic is possible because some particular Word macro functions are triggered by specific events.
Once enabled, the macro, which like many malicious macros is obfuscated, executes a PowerShell script that then downloads and executes Trickbot.
Upon execution, the malware sleeps for 30 seconds to evade sandboxes (by calling Sleep(30000)), and it then decrypts a dynamic link library file (named “shellcode_main,” which contains instructions that other programs can call upon to do certain things), which is then mapped to a buffer.
Like older samples of Trickbot, researchers observed this newest variant make use of a technique called process-hollowing for unpacking. Instead of injecting code into the host program, Trickbot unmaps — or hollows out — legitimate code from target’s memory, and then overwrites the memory space with a malicious executable.
First, a suspended process is created by the malware using CreateProcessW, which is then used to obtain a handle and copy the handle to a buffer, essentially re-reading and re-mapping that handle for various functions. These functions include unmapping the original malware module, creating a section to write the malicious code onto, mapping out the hollowed process, and resuming the suspended process and starting execution.
The variant carries out process-hollowing using both direct system calls and functions saved on the stack from earlier: “Organizations should be aware of this new trend to directly call functions via system calls,” researchers said. “This technique bypasses security tool hooks and therefore most security products will not detect this threat.”
Researchers noted that Trickbot’s partial use of direct system calls for process-hollowing is very similar to the Flokibot malware – a trojan horse that opens a back door, steals information and downloads potentially malicious files on the compromised computer.
“We suspect that some piece of code is shared between these malwares,” researchers said. “As in the Flokibot malware – not all the functions used for the process-hollowing were directly called using system calls – some of them were called from the functions addresses that were saved on the stack earlier.”
Trickbot also “didn’t implement the direct system calls to the three functions mentioned in the table above – and could have been stealthier if it did,” they added. “Oddly enough – these are the exact same functions that didn’t have this implementation in Flokibot either.”
Another similarity to note is the use of the CRC32 algorithm for hashing the function names. In Flokibot, the CRC32 is used in conjunction with the XOR function of two-bytes value to combine hashes. In Trickbot, the CRC32 is also used, although without any additional XOR functions).
Trickbot Continues Evolving
This is only one of several recent reports surrounding Trickbot, which has continued to evolve over the past few months. Earlier in July, both IBM and Flashpoint warned that the malware has started targeting U.S. banks in new spam campaigns fueled by the prolific Necurs botnet.
Earlier in May, Flashpoint analysts said that the operators behind the IcedID and TrickBot trojans appear to be targeting banking victims in a dual threat — and sharing the profit.