Trickbot: U.S. Court Order Hits Botnet’s Infrastructure

A global partnership of security, software, telecommunications and financial services firms have struck a blow against the notorious Trickbot botnet by securing a court order directing hosting providers to take down its infrastructure. The order was obtained in a U.S. lawsuit filed by Microsoft and the Financial Services Information Sharing and Analysis Center (FS-ISAC) against Trickbot’s anonymous operators and was based on technical evidence provided by the Symantec, a division of Broadcom (NASDAQ: AVGO) Threat Hunter Team and others. The legal action marked the culmination of a years-long, cross-industry collaboration to find innovative ways to thwart a pernicious botnet that has fueled numerous cyber-crime sprees.

In written testimony provided to the court, Symantec technical director Vikram Thakur said Trickbot has spread prolifically across the internet for years and become one of the most commonly blocked types of malware, suggesting it is now one of the world’s largest botnets.

Thakur described the serious harm caused to users whose computers are infected with Trickbot and whose banking credentials and other sensitive information are frequently stolen by the attackers. He also described its impact on financial institutions, which have borne significant losses due to Trickbot fraud.

In recent times, Trickbot has been implicated in targeted ransomware attacks, where credentials stolen by the malware were used by the Ryuk ransomware operators to compromise victims’ networks and encrypt all accessible computers. This assessment has been confirmed by Europol, which recently noted that “the relationship between Emotet [another botnet], Ryuk and Trickbot is considered one of the most notable in the cybercrime world”.

The botnet’s impact on banks and other financial sector organizations prompted a successful and close collaboration between the security industry and the financial sector, represented by FS-ISAC.

Unlike prior legal “takedown” actions against botnets, this case did not involve seizure of malicious infrastructure or redirection of network traffic but instead relied upon intellectual-property laws to effectively evict the botnet operators from the command-and-control servers they need to maintain access to victim machines.

What is Trickbot?

Trickbot is a major botnet consisting of computers that have been infected with the Trickbot Trojan (Trojan.Trickybot). The Trojan is modular in nature, meaning it can easily be customized with one or more of an array of custom components designed to carry out a range of malicious activities on infected computers. To date, it has mainly been used for two main purposes: stealing credentials from infected computers and acting as a distribution channel for other malware. Symantec believes that Trickbot’s operators earn most of their revenue from selling stolen credentials on the cyber underground and leasing out the botnet as a distribution channel for other malware authors.

Trickbot is spread through spam and phishing email campaigns which usually bear a Microsoft Word attachment containing malicious macros. If the document is opened by the unsuspecting user, Trickbot will be installed on the victim’s computer. In some cases, other malware, particularly ransomware, is also installed on the victim’s computer.

Trickbot will also attempt to leverage known software vulnerabilities to move across the victim’s network and install itself on other computers.

How Trickbot works

Trickbot is modular malware, capable of performing a range of different malicious activities. The first module to be installed on the victim’s computer is the loader, which contains an encrypted list of IP addresses from which it can download its main module.

Once downloaded, the main module will check the architecture of the victim computer and save this along with the bot’s own information. The main component then prepares a framework for additional modules and initiates a connection to one of a pre-configured list of command and control (C&C) servers.

The main module downloads one or more additional modules. Known modules include:

• Banking credential stealer (injectDll): For injecting malicious content into browser windows displaying banking websites in order to steal credentials
• Reconnaissance module (networkDll): For gathering system information and network/domain topology to determine whether the device can be infected with ransomware
• Data stealer (importDll): For stealing data from a web browser 
• Password grabber (Pwgrab: For stealing passwords from various locations
• Cookie stealer (cookiesDll): For stealing cookies from the infected computer
• Information stealer (mailsearcher): For searching all files in all drives in the system looking for specific information
• Point-of-Sale recon (psfin): Reconnaissance module to determine if there are any Point-of-Sale (POS) devices connected
• Remote control module (vncDll): Virtual Network Computing (VNC) module
• SMB spreader (tabDll): For spreading over Server Message Block (SMB) using the EternalRomance exploit and other vulnerabilities patched by Microsoft in March 2017 (MS17-010)
• Outlook stealer (outlookDll): For stealing data saved by Microsoft Outlook
• Lateral movement module (shareDll): For lateral movement/enumeration via Lightweight Directory Access Protocol (LDAP) and SMB exploitation
• Lateral movement module (wormDll): For lateral movement/enumeration via LDAP and SMB exploitation. The shareDll and wormDll modules work in cooperation.
• RDP brute-force module (rdpScanDll): A new module that uses brute-forces the Remote Desktop Protocol (RDP) for a specific list of victims

Stealthy threat

Trickbot includes a number of features designed to minimize the risk of detection by security software. For example, the main module is designed to evade execution within “sandboxes,” which are controlled environments used by security companies to analyze malware.

This module will also check the current user’s privileges and, if they have low privileges, it will elevate them using User Access Control (UAC) bypass, a technique that allows execution of programs with elevated privileges without the user being prompted.

When it obtains elevated privileges, Trickbot will attempt to identify any security software that is installed on the computer and attempt to stop it and end any related services.

Credential theft

One of the main threats for Trickbot victims is credential theft. This is carried out by a module that monitors for browser visits to a pre-configured list of banking websites. If the user visits any of these websites, the module intercepts and alters network traffic between the computer and the website, allowing the attackers to steal the victim’s banking credentials after they are input by the user.

Trickbot will also attempt to steal other credentials from Chrome and Internet Explorer’s password storage features, from various RDP and SSH related services, and from other password managers.

Immediate threat

While infected computers are added to the Trickbot botnet, they yield the most value to attackers immediately after infection. Other malware families are usually delivered at the point of initial infection. Credential theft happens immediately after infection, while banking credentials are stolen the first time the victim attempts to log into their bank. Even if the malware is subsequently detected and the computer is removed from the botnet, much of the damage will have been done at this point, with stolen credentials exfiltrated by the attackers and likely sold to other cyber criminals.

Ongoing battle

By pooling resources and intelligence and utilizing available legal avenues, the information security and financial sectors hope to strike a major blow against Trickbot. Symantec is grateful for the leadership of Microsoft and FS-ISAC and the support of ESET, NTT, and Lumen Technologies. This latest action, however, is just one step in an ongoing campaign. Complete eradication of this botnet will likely require additional actions from government partners in multiple jurisdictions. However, this action proves that successful private industry collaboration can be effective in countering cyber-crime and we hope that this set a new precedent for further initiatives.

Protection

The following protections are in place to protect customers against Trickbot activity:

• Trojan.Trickybot
• SONAR.Trickybot
• Trojan.Trickybot!g7
• Trojan.Trickybot!g8
• Trojan.Trickybot!g11
• Trojan.Trickybot!g13
• Trojan.Trickybot!g16
• Trojan.Trickybot!gen2
• Trojan.Trickybot!gen5
• Trojan.Trickybot!gm

Mitigation

Symantec recommends users observe the following best practices to protect against Trickbot attacks:

• Enable 2FA to prevent compromise of credentials.
• Harden security architecture around email systems to minimize the amount of spam that reaches end-user inboxes and ensure you are following best practices for your email system, including the use of SPF and other defensive measures against phishing attacks.
• Restrict access to RDP Services: Only allow RDP from specific known IP addresses and ensure you are using multi-factor authentication.
• Implement proper audit and control of administrative account usage: You could also implement one-time credentials for administrative work to help prevent theft and usage of admin credentials.
• Create profiles of usage for admin tools: Many of these tools are used by ransomware attackers to move laterally undetected through a network. A user account that has a history of running as admin using PsInfo/PsExec on a small number of systems is probably fine, but a service account running PsInfo/PsExec on all systems is suspicious.