Researchers uncovered a new variant of the TrickBot malware that relies on new anti-analysis techniques, an updated method for downloading its payload as well as adopting minor changes to the integration of its components.
TrickBot is a module-based malware that, while first identified as a banking trojan, has gradually extended its functions to include collecting credentials from a victim’s emails, browsers and installed network apps. The malware has also evolved to send spam to victim email lists, adopt new detection evasion methods and act as a delivery vehicle for other malware, such as Emotet. More recently, the operators behind the malware appear to be changing up their anti-detection methods, researchers said on Monday.
“In this post, we detailed how this TrickBot fresh variant works in a victim’s machine, what technologies it uses to perform anti-analysis, as well as how the payload of TrickBot communicates with its C&C server to download the modules,” said Xiaopeng Zhang with Fortinet’s FortiGuard Labs threat team in a Monday analysis. “TrickBot has been active for years. The server configuration version is now 1000502, compared to the version number when we first captured it in 2016, which was 1000004. We think it will keep upgrading itself from time to time.”
“If [the length is less than 3,100], it will raise an exception and close,” researchers said. “Usually, on a real computer, this length is larger than 3100. In this measure, it is better able to bypass many auto-analysis systems, including Sandboxes and Virtual Machines.”
New Variant Payload
In another change for TrickBot, the downloaded payload in the latest variant is a DLL (dynamic link-library) file (that is run by “rundll32.exe”) while in the previous variant, the payload was an .exe file.
Once the payload is executed, it is similar to previous versions of the TrickBot malware. The payload downloads modules from its Command and Control (C2) server, and loads and executes them. These modules include an array of commands, including submitting the victim’s system information and global IP address to the C2 server; exfiltrating data (such as Log on User Name, network status, credentials etc.); querying the C2 server for various tasks and more.
In another slight modification, the newest TrickBot variant also integrates the module “systeminfo” into the payload file, which was a standalone module before. This command tells the server that the “systeminfo” module was a success. While before, “systeminfo” was a DLL file used to collect system information from the victim’s device and then send it to its server, the module is already integrated into latest version of TrickBot, researchers said.
Finally, Researchers said that the newest variant also reflects a change in the command used to request up-to-date server configuration data. The configuration is now “1000502,” rather than the previous configuration “1000004.”
Zhang told Threatpost that he believes TrickBot will continue to evolve, particularly when it comes to its modular functionalities.
“We think it will keep upgrading itself and adding more modules to extend its functions,” he told Threatpost. “Due to its modular design, it’s possible to do that.”
Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.