BACK

Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire

Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoireby Noel Anthony Llimos and Carl Maverick Pascual  In November 2018, we covered a Trickbot variant that came with a password-grabbing module, which allowed it to steal credentials from numerous applications. In January 2019, we saw Trickbot (detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.AD) with new capabilities added to its …

  • 12 Feb 2019
5 min read
Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
by Noel Anthony Llimos and Carl Maverick Pascual  In November 2018, we covered a Trickbot variant that came with a password-grabbing module, which allowed it to steal credentials from numerous applications. In January 2019, we saw Trickbot (detected as TrojanSpy.Win32.TRICKBOT.AZ and Trojan.Win32.MERETAM.AD) with new capabilities added to its already extensive bag of tricks. Its authors clearly aren’t done updating Trickbot — we recently found a new variant that uses an updated version of the pwgrab module that lets it grab remote application credentials. Infection Chain Figure 1. Infection chain for the malware Technical Analysis The malware arrives via an email disguised as a tax incentive notification from a major financial services company. This email includes a macro enabled (XLSM) Microsoft Excel spreadsheet attachment (detected as Trojan.W97M.MERETAM.A) that purportedly contains the details of the tax incentive. However, as these attachments usually go, this macro is malicious and will download and deploy Trickbot on the user’s machine once activated. Figure 2. The spam email containing the malicious macro-enabled attachment. Figure 3. Screenshot of the attached spreadsheet document This Trickbot variant is largely similar to the variant we discovered in November. However, the 2019 version adds three new functions, one each for the Virtual Network Computing (VNC), PuTTY, and Remote Desktop Protocol (RDP) platforms. Figure 4. Comparison of the pwgrab modules from November 2018 (top) and January 2019 (bottom). Note the added functions in the code. Figure 5. C&C traffic with the RDP credentials being sent. One of the techniques enforced by these new functions encrypts the strings it uses via simple variants of XOR or SUB routines. Figure 6. XOR routine (top) and SUB routine (bottom) string encryption. It also makes use of API hashes for indirect API calling, which was prominently attributed to the Carberp trojan source code leak from 2013.   Figure 7. API hashing artifact from the Carberp Source Code. VNC To grab VNC credentials, the pwgrab module searches for files using the “*.vnc.lnk” affix that are located in the following directories: %APPDATA%MicrosoftWindowsRecent %USERPROFILE%Documents, %USERPROFILE%Downloads The stolen information includes the target machine’s hostname, port, and the proxy settings. Figure 8. Screenshot of how pwgrab locates “.vnc.lnk” files on the %USERPROFILE%Downloads directory. The module will send the required data via POST, which is configured through a downloaded configuration file using the filename “dpost.” This file contains a list of command-and-control (C&C) servers that will receive the exfiltrated data from the victim. Figure 9. Stolen Information being exfiltrated to the C&C server. PuTTY To retrieve the PuTTY credentials, it queries the registry key SoftwareSimonTathamPuttySessions to identify the saved connection settings, which allows the module to retrieve information such as the Hostname and Username, and Private Key Files used for authentication. Figure 10. Registry traversal for Putty data exfiltration (left), code showing hostname, username and Private Key Files (right). RDP Its third function related to RDP uses the CredEnumerateA API to
Source: TrendLabs Security Intelligence BlogPublished on 2019-02-12
Blog Details
  • 12 Feb 2019

Newest Articles.

View all
  • 04 Mar 16

    Top 5 Recent Cyber-attacks/hacks and How They Could Relate to your Business.

    Read Article logo
  • 13 Mar 16

    Data leaks, how can they affect Sales and Business Integrity?

    Read Article logo
  • 20 Apr 16

    Common Cyber Security Threats Faced by Businesses and The Impacts

    Read Article logo
  • 11 May 16

    Regular Vulnerability Scans Assessments: Keeping You Safe

    Read Article logo

Get a Quote

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Contact Us

Click below and we’ll send you a quote as soon as possible.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Step 1 of 4 - Let’s get started

25%
  • Thanks for your interest in working with us. Please complete the details below and we’ll get back to you as soon as possible.

Buy Cyber Essentials

price-popup-pattern