Researchers uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components.
TrickBot is a module-based malware that, while first identified as a banking trojan, has gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps. The malware has also evolved to send spam to victim email lists, adopt new detection evasion methods and act as a delivery vehicle for other malware, such as Emotet. More recently, the operators behind the malware appear to be changing up their anti-detection methods, researchers said on Monday.
“In this post, we detailed how this TrickBot fresh variant works in a victim’s machine, what technologies it uses to perform anti-analysis, as well as how the payload of TrickBot communicates with its C&C server to download the modules,” said Xiaopeng Zhang with Fortinet’s FortiGuard Labs threat team in a Monday analysis. “TrickBot has been active for years. The server configuration version is now 1000502, compared to the version number when we first captured it in 2016, which was 1000004. We think it will keep upgrading itself from time to time.”
Researchers discovered the latest variant in a malicious Word document, which they believe is part of a phishing campaign. When the malicious Word document is opened, it asks the victim to “Enable Content,” which then executes a malicious Macro (in VBA code) is executed. The VBA code then extracts a file (“C:\AprilReport\List1.jse”) which eventually runs a huge JavaScript file called “List1.jse.”
Anti-Analysis
Researchers listed a number of anti-analysis techniques utilized by this JavaScript file, including heavy obfuscation to protect the API function calls and constant strings associated with the malware’s attack chain from being identified.
In new behavior for this variant, once executed, the JavaScript code first waits for about one minute. This behavior makes it seem inert, helping it to bypass any auto-analysis tools, researchers said. After waiting, the JavaScript file then executes a command (“Select * from Win32_Process”) to obtain all running processes on the victim’s system. It then puts all of the names of these obtained processes together and checks to see if its length is less than 3,100 – another new anti-analysis functionality, researchers said.
“If [the length is less than 3,100], it will raise an exception and close,” researchers said. “Usually, on a real computer, this length is larger than 3100. In this measure, it is better able to bypass many auto-analysis systems, including Sandboxes and Virtual Machines.”
New Variant Payload
In another change for TrickBot, the downloaded payload in the latest variant is a DLL (dynamic link-library) file (that is run by “rundll32.exe”) while in the previous variant, the payload was an .exe file.
After downloading the TrickBot payload in a file in the %temp% folder, the JavaScript file then copies itself into the Windows startup folder so it can start whenever Windows OS starts. This persistence method is another key differentiator from previous versions of TrickBot, which used to instead install themselves as a Scheduled Task or be added into the system registry’s Auto-Run group to maintain persistence, researchers said.
Once the payload is executed, it is similar to previous versions of the TrickBot malware. The payload downloads modules from its Command and Control (C2) server, and loads and executes them. These modules include an array of commands, including submitting the victim’s system information and global IP address to the C2 server; exfiltrating data (such as Log on User Name, network status, credentials etc.); querying the C2 server for various tasks and more.
In another slight modification, the newest TrickBot variant also integrates the module “systeminfo” into the payload file, which was a standalone module before. This command tells the server that the “systeminfo” module was a success. While before, “systeminfo” was a DLL file used to collect system information from the victim’s device and then send it to its server, the module is already integrated into latest version of TrickBot, researchers said.
Finally, Researchers said that the newest variant also reflects a change in the command used to request up-to-date server configuration data. The configuration is now “1000502,” rather than the previous configuration “1000004.”
Zhang told Threatpost that he believes TrickBot will continue to evolve, particularly when it comes to its modular functionalities.
“We think it will keep upgrading itself and adding more modules to extend its functions,” he told Threatpost. “Due to its modular design, it’s possible to do that.”
Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.