The TrickBot banking trojan has gotten trickier, with the addition of a Windows 10 ActiveX control to execute malicious macros in boobytrapped documents.
The ActiveX control uses the “MsRdpClient10NotSafeForScripting” class, according to the researcher, which is used for remote control.
“The Server field is empty in the script, which will later cause an error that the attackers will actually abuse to properly execute their own code,” he explained. “The OSTAP will not execute unless the error number matches exactly to “disconnectReasonDNSLookupFailed” (260); the OSTAP wscript command is concatenated with a combination of characters that are dependent on the error number calculation.”
As soon as OSTAP is created in the form of a BAT file, the file is executed, and the Word document form is closed.
“The BAT will execute wscript back with its own content,” Gorelick said. “An old trick using comments that the BAT will disregard during the execution of wscript (non-recognized command) while skipped together with its content when executed by wscript (or any other interpreter that adheres to the comments syntax).”
This ActiveX “feature” will not work on workstations that are not updated to Windows 10, according to the analysis.
TrickBot was developed in 2016 as a banking malware to succeed the Dyre banking trojan; but since then, it has developed into an all-purpose, module-based crimeware solution targeted specifically to corporations. Researchers say that TrickBot is particularly dangerous because it’s constantly evolving with new functionality.
Earlier in February for instance it added a bypass for Windows 10 User Account Control (UAC), to be able to deliver malware across multiple workstations and endpoints on a network. Also so far this year, SentinelLabs found that a stealthy backdoor dubbed “PowerTrick” had been added to TrickBot.
And, in 2019, various versions of TrickBot steadily added new tricks to the trojan’s arsenal, including a feature that goes after remote desktop credentials and an update to its password grabber to target data from OpenSSH and OpenVPN applications.
Researchers last year also found evidence that the crimeware organization behind TrickBot forged an unprecedented union with North Korean APT group Lazarus through an all-in-one attack framework developed by TrickBot called Anchor Project.
“As newer features are introduced to a constantly updating OS, so too the detection vendors need to update their techniques to protect the system,” according to Gorelick. “This may become very exhausting and time-consuming work, which can lead to the opposite effect of pushing defenders even farther behind the attacker. TrickBot distributors have yet again taken advantage of the opportunity this change presents.”