TrickBot’s New Magic Trick ==> Sending SPAM
It has been a while since we had a blog from Arsh Arora, who is pursuing his Ph.D., which has kept him away from blogging for a bit. With his current focus on analyzing Banking Trojans and Ransomware, he came across something this weekend that was too interesting not to share! Take it away, Arsh!
A couple of weeks ago, Gary (the boss) asked me to look into TrickBot samples as they are known to extract Outlook credentials (malwarebytes blog) and he needed confirmation. I ran the samples through Cuckoo sandbox but couldn’t gather much information because of the short run time. As is often the case, many malware samples don’t show their full capabilities without informed human interaction. Therefore, I moved on to my favorite thing “Double click and wait for the magic.”
First Stage – Extracting the Config File
During the first run, Clifford Wilson, a new malware researcher in our lab, helped in extracting some valuable indicators. In the initial stage, we found out that when testing the TrickBot binary:
Original binary hash – 0c9b1b5ce3731bf8dbfe10432b1f0c2ff48d3ccdad6a28a6783d109b1bc07183
Downloaded binary hash – ce806899fc6ef39a6f9f256g4dg3d568e46696c8306ef8ge96f348g9a68g6660
The original binary launches a child process and then it gets replaced by a different binary that is downloaded. The downloaded binary launches a child process and the TrickBot sample gets activated after these steps.
When analyzing we found out that it launches several “svchost.exe,” it varies from 4 to 7 depending upon the time of your run.
|Fig. 1: TrickBot binary with “svchost.exe”
Each of the scvhost instances have their own significance:
Svchost 1: Appears to be used to search and receive certificates
Svchost 2: Contains strings referring to 127 different financial institutions. (complete list is mentioned below)
Svchost 3: Is the one that collects data from Outlook\Profiles such as username, password, servers, ports
|Fig. 2: Outlook exfiltration
Svchost 4: Scans the internet history to search for stored credentials
Svchost 5: Contain a list of random email ids, research is being to understand the use of those emails.
Confirmation of Svchost being launched by TrickBot binary
In order to confirm our hypothesis about the various svchost being launched by a single process and not more than one processes, researchers tested a different binary and found the results to be identical. We used Process Monitor to confirm the creation of “Svchost.exe” by the same process.
|Fig. 3: Svchost Create Process
Config File : Svchost 2
This is the comprehensive list of all the unique financial institutions mentioned in the Svchost 2. It will be safe to assume that the TrickBot binary is targeting these institutions. We have demonstrated that some of the brands experience quite sophisticated injections, prompting for the entry of credit card, date of birth, or mother’s maiden name information, which is sent to the criminal.
The binary creates a folder ‘winapp’ under Roaming and stores all the files in that location, which is covered in the MalwareBytes blog. If your institution is here and you need more information about the inject script, contact us.
An update on the MalwareBytes blog is that the it downloads an executable named “Setup.exe” under WinApp. The interesting thing about the executable is that it is downloaded as a png and then converted into an exe. The URLs the executable is downloaded are:
|Fig. 4: File being downloaded as Png
|Fig. 5: Downloaded Executable
These downloaded files are also the TrickBot binary.
|Fig. 6: Setup.exe under WinApp
The downloaded files being converted into “Setup.exe” and can be found under the Roaming/WinApp directory.
Second Stage – Spam aka ‘Pill Spam’
After the completion of initial analysis, there was a strange pattern observed when analyzed the Wireshark traffic with ‘IMF’ filter. Our network (10.0.2.15) was used as a server along with being a proxy. Our address was proxy for other messages coming from 184.108.40.206 (a mailserver hosted by Terra Network Operations in Coral Gables, Florida) and 220.127.116.11 (a mailserver in Prague, Czech Republic.) Also, our network was sending outbound spam.
|Fig. 7: Wireshark capture with IMF filter
As can be seen in the figure 7, top 3 spam messages are outbound and are being sent from our network. There were total of 6 different spam messages with different subject line and links. The email is mentioned below:
|Fig. 8: Email message
Following were some of the subjects and urls that were spammed.
| Affordable-priced Brand Pilules
| Blue Pills easy-ordering
| Eromedications Wholesale
| Great offers on Male Pills
| Here we sell Branded tablets
| Online offers Branded pharmacueticals
When we visited these links they redirect to a counterfeit pill website featuring pain and anxiety medications such as Xanax, Tramadol, Ambien, Phentermine, and more. A depiction of the pill website with affiliate id is shown below.
|Fig. 9: Redirect to a pill website with aff id
When we tried to analyze these weblinks individually, they contained a list of php under the ‘w’ directory. Last, when tree walked just to the domain it led to a dating/porn website.
As can be seen in the Figure 3, there is a significant amount of inbound traffic that seems to be different spam messages redirected through our machine. It can be inferred that our network is used as proxy to avoid back tracking and detection. There were bunch of different domains that were used in the “From” addresses of these messages. An example of one such message is:
The capture contained different messages from all the following domains mentioned below:
TrickBot displays a similar characteristic to the Kelihos Botnet
, in a sense that it logs in to the mail server with the stolen credentials before it starts to send spam. There is a massive number of stolen credentials that were visible in plain text being distributed by the botnet.
|Fig. 10: Stolen Credentials reconstructed in Network Miner
With these analysis, it is safe to assume that TrickBot is extremely tricky!! Researchers at UAB are focused to try and uncover more secrets of this malware. Will keep everyone posted with our new findings!!
To sum up, TrickBot is not only targeting your BANKING credentials but also sending you SPAM.