TrickBot Adds ActiveX Control, Hides Dropper in Images

Trickbot activex

The tricky trojan has evolved again, to stay a step ahead of defenders.

The TrickBot banking trojan has gotten trickier, with the addition of a Windows 10 ActiveX control to execute malicious macros in boobytrapped documents.

Michael Gorelik, researcher at Morphisec Labs, said that at least two dozen documents have come to light in the last few weeks that use ActiveX—a feature in Remote Desktop Protocol (RDP) – to automatically trigger malicious macros in documents attached to targeted malspam emails. This creates and executes the OSTAP JavaScript downloader, which acts as a dropper for the TrickBot payload, without user interaction after they click the “enable macros” button.

“Each document usually contained an image to convince targets to enable the content,” he wrote in a posting on Friday. “This leads to the execution of the malicious macro, only this time the image also hid an ActiveX control slightly below it. The malicious OSTAP JavaScript downloader is then hidden in white-colored letters in between the content, so it’s not visible to people, but can be seen by machines.”

The ActiveX control uses the “MsRdpClient10NotSafeForScripting” class, according to the researcher, which is used for remote control.

“The Server field is empty in the script, which will later cause an error that the attackers will actually abuse to properly execute their own code,” he explained. “The OSTAP will not execute unless the error number matches exactly to “disconnectReasonDNSLookupFailed” (260); the OSTAP wscript command is concatenated with a combination of characters that are dependent on the error number calculation.”

As soon as OSTAP is created in the form of a BAT file, the file is executed, and the Word document form is closed.

“The BAT will execute wscript back with its own content,” Gorelick said. “An old trick using comments that the BAT will disregard during the execution of wscript (non-recognized command) while skipped together with its content when executed by wscript (or any other interpreter that adheres to the comments syntax).”

This ActiveX “feature” will not work on workstations that are not updated to Windows 10, according to the analysis.

TrickBot was developed in 2016 as a banking malware to succeed the Dyre banking trojan; but since then, it has developed into an all-purpose, module-based crimeware solution targeted specifically to corporations. Researchers say that TrickBot is particularly dangerous because it’s constantly evolving with new functionality.

Earlier in February for instance it added a bypass for Windows 10 User Account Control (UAC), to be able to deliver malware across multiple workstations and endpoints on a network. Also so far this year, SentinelLabs found that a stealthy backdoor dubbed “PowerTrick” had been added to TrickBot.

And, in 2019, various versions of TrickBot steadily added new tricks to the trojan’s arsenal, including a feature that goes after remote desktop credentials and an update to its password grabber to target data from OpenSSH and OpenVPN applications.

Researchers last year also found evidence that the crimeware organization behind TrickBot forged an unprecedented union with North Korean APT group Lazarus through an all-in-one attack framework developed by TrickBot called Anchor Project.

“As newer features are introduced to a constantly updating OS, so too the detection vendors need to update their techniques to protect the system,” according to Gorelick. “This may become very exhausting and time-consuming work, which can lead to the opposite effect of pushing defenders even farther behind the attacker. TrickBot distributors have yet again taken advantage of the opportunity this change presents.”

Suggested articles