Even TrickBot Didn’t trick BitDam
Running at one of our American customers, the BitDam service has recently detected an email containing a TrickBot dropper with the following sha1 – 8cad6d7f47553b363698230c36c36cb39a801126.
It was pretending to be sent from Bank of America – the subject of the email was “FW: Incoming Confirmation” and it arrived from Denise.Makarem@bofamail.com. The attackers tried to lure their victim into clicking the attachment by pretending the email was sent a known bank.
You can read more about TrickBot at the end of this blog post, but first I’d like to take you through the analysis of this attack.
The following is a technical analysis of the interesting attack vector that we detected just a couple of weeks ago at one of BitDam’s customers.
When I opened the file, it was quite clear that it attempts to look like a ‘Bank of America’ document as shown in figure1.
The attack was macro based, and as I tried viewing the macro, I noticed that the VBA project was password protected. That was done by the attackers in order to make it harder for security teams to debug or view the VBA code of the attack, which was obviously well written.
Once I bypassed the password protection (it was relatively easy), I saw that the VBA project (shown in Figure 2) is made of a VBA module containing most of the code, and a form.
The code in the workbook was very simple. The attackers implemented Workbook_Open function that runs automatically. That function made only one simple call (shown in Figure 3).
The attackers made a significant effort to make their code look as legitimate as possible. Unlike most cases where we see heavily obfuscated code, this one was clear and even had some comments in it.
The malicious content that the attackers were trying to hide was founded in a textbox inside the form.
Figure 4 shows the value hidden in the textbox and the beginning of the ‘de-obfuscation’ of that odd, unreadable string.
Eventually, the string becomes readable and the attackers launch a shell that is supposed to execute it. Figure 5 shows the shell execution and the value it executes.
When copied aside, Figure 6 shows the full Powershell command line.
The attackers tried to avoid detection at any phase of the attack. In the Powershell execution line, we do not see any URLs nor downloaders. Just a long odd string that is base64 decoded an uncompressed using GZIP compression. To see what that stream is, I decoded and decompressed it to see a Powershell code with obvious intentions, shown in Figure 7.
Even here, in a code with clean intentions to download and execute an executable, the attackers inserted comments, probably used to break textual sequence in order to avoid detection.
This code is relatively clear as it attempts to download the payload from two different servers:
The payload (sha1 f91ed88e61b431ce883f75797ad36c5a4a9ca212) is TrickBot.
A bit about TrickBot
TrickBot is one of the newest banking trojans. It was initially seen in 2016. TrickBot aims to steal banking details, stored passwords, and emails, as well as stealing from Bitcoin wallets.
TrickBot has several modules, each with its own purpose: one for propagation, another one for stealing passwords, a module for setting persistency mechanisms, etc. TrickBot communicates with its Command and Control (C&C) servers that are set on hacked routers.
Propagation-wise, TrickBot uses EternalBlue SMB exploit (the same one used by WannaCry and NotPetya) to reach new computers within the network. Any computer that is not updated with the relevant patch is vulnerable to that exploit.
In an un-patched network in which TrickBot can spread easily, it will be hard to get rid of it. Keeping its persistency using scheduled tasks, it could get a hold in many computers within the organization, leak and take control over a lot of banking accounts and mailboxes.
The organization that was targeted by this specific TrickBot attack uses BitDam as the last line of defense. This means that this attack, detected by BitDam, has actually bypassed all other security solutions in place before BitDam caught it. Just imagine what would have happened if the BitDam solution wasn’t there.