Blog

With a boost from Necurs, Trickbot expands its targeting to numerous U.S. financial institutions

The Necurs botnet first emerged in 2012 and has since become notorious for powering massive, malware-laden spam campaigns. Although the botnet’s historical association with Locky and Jaff Ransomware has long raised concerns from organizations across all sectors, Necurs is now delivering a different type of malware that poses a threat specifically to the financial sector: the Trickbot banking Trojan.

Default Author Image
Flashpoint Intel Team
July 19, 2017
Table Of Contents
Table of Contents
Trickbot Analysis
Conclusion
More
subscribe to our newsletter

The Necurs botnet first emerged in 2012 and has since become notorious for powering massive, malware-laden spam campaigns. Although the botnet’s historical association with Locky and Jaff Ransomware has long raised concerns from organizations across all sectors, Necurs is now delivering a different type of malware that poses a threat specifically to the financial sector: the Trickbot banking Trojan.

Trickbot has been responsible for man-in-the-browser (MitB) attacks since mid-2016, yet the malware’s webinject configuration has only targeted financial institutions located outside of the U.S. — up until now. Starting on July 17, 2017, Flashpoint observed a new, Necurs-powered Trickbot spam campaign containing an expanded webinject configuration developed to target and infect customers of international and U.S.-based financial institutions. The latest Trickbot campaign, known as “mac1,” targets customers of various institutions in the U.S., U.K., New Zealand, France, Australia, Norway, Swedish, Iceland, Finland, Canada, Italy, Spain, Switzerland, Luxembourg, Belgium, Singapore, and Denmark.

Thus far, mac1 has fueled at least three different spam waves — all of which have included the Trickbot loader as a final payload. The initial spam wave contained an HTML email masquerading as a bill from an Australian telecommunications company. These malicious emails contained a Zip-archived Windows Script File (WSF) attachment consisting of obfuscated JavaScript code. Upon being clicked, the files download and execute the Trickbot loader. Although this wave utilized malicious WSF scripts as the initial vector of infection, subsequent campaigns have evolved and appear to instead utilize malicious macro-laden documents as their attachments.

Image 1: Trickbot mac1 lure email masquerading as a telecommunications billing notice.
Image 1: Trickbot mac1 lure email masquerading as a telecommunications billing notice.

Trickbot Analysis

Upon infecting a machine, Trickbot initially creates a process using the “CREATE_SUSPENDED” flag before injecting its module and terminating the initial thread used to launch the Trojan.

Next, Trickbot creates a folder in %APPDATA%, copies itself there, adds an authroot certificate file in %TEMP%, and adds as a service update[.]job for persistence in the Windows Task folder. Trickbot then stores an encoded configuration module in the “resource” section of its binary and retrieves additional modules from its controller domains when needed.

Image 2: The Trickbot mac1 main configuration includes various IP domains on port 443.
Image 2: The Trickbot mac1 main configuration includes various IP domains on port 443.

Trickbot’s mac1 main configuration is as follows:

<mcconf><ver>1000027</ver>
<gtag>mac1</gtag><servs>
<srv>194.87.95[.]60:443</srv>
<srv>190.228[.]169.106:443</srv>
<srv>94.42.91[.]27:443</srv>
<srv>118.91.178[.]114:443</srv>
<srv>186.103.161[.]204:443</srv>
<srv>163.53.206[.]187:443</srv>
<srv>46.160.165[.]16:443</srv>
<srv>191.7.30[.]30:443</srv>
<srv>46.160.165[.]31:443</srv>
<srv>197.248.210[.]150:443</srv>
<srv>195.133.201[.]149:443</srv>
<srv>94.140.121[.]250:443</srv>
<srv>83.234.136[.]55:443</srv>
<srv>93.99.68[.]140:443</srv>
<srv>118.91.178[.]145:443</srv>
<srv>168.194.82[.]174:443</srv>
<srv>190.34.158[.]250:443</srv>
</servs>
<autorun><module name=”systeminfo” ctl=”GetSystemInfo”/><module name=”injectDll”/></autorun></mcconf>

The certificate is set with the expiration date as follows:

<ssert><expir></expir><./ssert>

The Trickbot’s server configuration is as follows:

<servconf><expir></expir><plugins>
<psrv>195.69.196[.]77:447</psrv>
<psrv>91.206.4[.]216:447</psrv>
<psrv>189.84.113[.]83:447</psrv>
<psrv>118.91.178[.]98:447</psrv>
<psrv>195.2.253[.]95:447</psrv>
<psrv>195.133.49[.]207:447</psrv>
<psrv>194.87.235[.]155:447</psrv>
</plugins></servconf>

Trickbot’s module configuration is as follows:

<moduleconfig>
<autostart>yes</autostart><sys>yes</sys>
<needinfo name=”id”/><needinfo name=”ip”/>
<autoconf>
<conf ctl=”dinj” file=”dinj” period=”20″/>
<conf ctl=”sinj” file=”sinj” period=”20″/>
<conf ctl=”dpost” file=”dpost” period=”60″/>
</autoconf>
</moduleconfig>
<srv>197.248.210[.]150:443</srv>
<srv>195.133.201[.]149:443</srv>
<srv>94.140.121[.]250:443</srv>
<srv>83.234.136[.]55:443</srv>
<srv>93.99.68[.]140:443</srv>
<srv>118.91.178[.]145:443</srv>
<srv>168.194.82[.]174:443</srv>
<srv>190.34.158[.]250:443</srv>
</servs>
<autorun>
<module name=”systeminfo” ctl=”GetSystemInfo”/>
<module name=”injectDll”/></autorun></mcconf>

Trickbot also contains importDll32, mailsearcher32, systeminfo32, injectDll32, and outlookDl32 modules.

Image 3: Trickbot’s various modules include “mailsearcher32”.
Image 3: Trickbot’s various modules include “mailsearcher32”.

Flashpoint observed Trickbot’s mac1 static (“sinj”) and dynamic (“dinj”) webinject modules targeting customers of U.S. and international financial institutions in the following three formats:

<mm></mm>
<sm></sm>
<nh></nh>
<srv></srv>
</sinj><sinj>

<mm></mm>
<sm></sm>
<nh></nh>
<url404>*/error_path/404[.]html*</url404>
<srv></srv>
</sinj><sinj

<igroup>
<dinj>
<lm>*</lm>
<hl></hl>
<pri></pri>
<sq></sq>
<ignore_mask>*.gif*</ignore_mask>
<ignore_mask>*.jpg*</ignore_mask>
<ignore_mask>*.png*</ignore_mask>
<ignore_mask>*.js*</ignore_mask>
<ignore_mask>*.css*</ignore_mask>
<require_header>*text/html*</require_header>
</dinj>
</igroup>

Furthermore, Flashpoint’s malware analysis revealed significant similarities between the Trickbot banking Trojan and the Dyre banking Trojan. Indeed, Trickbot is considered to be Dyre’s successor. As such, it’s possible that Trickbot’s author may have either had deep knowledge of Dyre or simply re-used old source code. The Dyre cybercriminal syndicate has historically targeted various Western financial institutions including those located in the U.S., U.K., and Canada. Following a takedown by Russian law enforcement, the Dyre banking Trojan gang ceased operations in 2015; their old aliases have since disappeared from the underground.

Conclusion

Since the Trickbot banking Trojan’s mac1 campaign remains fueled by the powerful Necurs botnet, it will likely continue to evolve and target customers of U.S. and international financial institutions. Anti-fraud programs are an important part of many FI programs to detect and counter this threat to their customer base. As threats posed by malware such as Trickbot continue to emerge and their targets expand, it is crucial for all organizations and its users to be extra vigilant in their security practices.

The Trickbot mac1 Indicators of Compromise (IOCs) are available for download here.