A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware.

Example 1 - Svchost Process Hollowing

Taken from Virustotal

Upon execution of the Trickbot binary, a few things happen.

A directory is created, containing the same binary that was executed, and an obfuscated settings.ini file.

image

image

A scheduled task is created, named “System cache service”. It executes the renamed Trickbot binary ‘Vticmbqt.exe’ from the newly created ‘C:\Users\husky\AppData\Roaming\cashcore’ directory as a means of persistence.

image

image

image

Following the execution flow with Procmon, we can see a svchost.exe process with the command line: “C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule”, which indicates this is the scheduled task running.

This process spawns ‘Vticmbqt.exe’ from the ‘C:\Users\husky\AppData\Roaming\cashcore’ directory, per the scheduled task Action.

We then see Vticmbqt.exe create another scvhost.exe process.

image

image

We can identify any further suspicious svchost.exe processes by querying for svchost services and reviewing any that state “N/A”

tasklist /svc | sls svchost

image

Basic Execution Flow

image

We’ll interrogate this process further with Process Hacker, we’ll find the hollowed svchost process by identifying the PID, we’ll then inspect the Properties > Memory > Strings. Here, we can filter for any string which contains “HTTP”. This will help identify any potential C2 traffic.

Doing this shows interesting results for connections to IPv4 addresses over port 449, which Trickbot is known for using, so we’ll change our filter to “449” to identify further potential network IOCs.

image

The following IP addresses are extracted:

185.189.122.68
181.112.157.42
45.238.37.14
45.224.214.34
181.196.207.202
181.129.167.82
181.113.28.162
103.255.10.24
117.204.253.33
181.140.173.186
190.146.176.67
181.113.28.146
177.154.86.145
117.197.119.219
190.214.13.2
190.72.235.47
117.196.233.100
117.206.149.29
181.129.134.18
189.28.185.50
91.108.150.213
170.84.78.224
117.255.221.135
185.57.167.32
181.129.104.139
177.105.242.229
190.142.200.108
103.219.213.102

It seems that our configuration is utilising the 181.129.104.139 address.

image

image

<
Previous Post
Reversing ASync RAT Downloaders / Configs
>
Next Post
NJRat Injection From Malicious Document