Post-execution scope of impact and threatscape details of a sophisticated malware
First Edition, April 2019
Since its initial release, Trickbot has been an advanced, modular malware, built on complex, well-written code and backed by continuous improvement and on-going development. The modular structure of the code is the most important part of this malware. Other than giving it a clearly defined and segmented flow, it allows the authors to have the ability to add new modules with new purposes to the existing malware, which they have been doing regularly throughout the history of the malware. Trickbot is a beautiful piece of code, used for malicious purposes.
Technical analysis of this malware has been published throughout its existence in the wild and there are some good, detailed publishings that are available on the internet that go into great technical details regarding the inner workings of the code and flow of Trickbot. Here’s one of my earlier publications that goes into the flow of execution for Trickbot. This should give the audience a pretty good basic idea of how it operates. Another really good resource on Trickbot is the research published by hasherezade at MalwareBytes and GitHub.
NOTE: In this edition, we look at some never-before published information about this malware. These are a direct result of many hours of research by the author and include some very interesting findings.
In this publication, the focus is on the post-exploitation scenario and also the overall reach and distribution of the payload itself. There are a few things that stand out particularly around the targeting of the external entities and the ways it is achieved through some ingenious techniques applied by the authors, mainly in the target list in the config. We’ll also try to break down the targeting strategy by regions, industry etc. This will allow us to understand the bigger impact that this malware can inflict on the victims and the companies/services/businesses that are the final true target for the distributors. We also look at gathering threat intelligence based on the IOCs, features, geo-locations and techniques that are discovered through deep analysis of the final payload.
NOTE: None of the websites, companies or services mentioned in this publication have vulnerabilities on their end, they are just a part of the target-lists for many banking/financial malware, including Trickbot. These malware families rely on weak security controls on the victims' computer for successful execution.
Trickbot Targets, a history of
The target configs have evolved over time. As Trickbot started gaining ground in the banking malware field back in 2016, new targets were added to the config regularly. At first, it was mainly focused around banks in different regions and the MalActors kept expanding that list, adding new banks to the config every month. At one point in time, it covered banks in a surprisingly diverse geo-location set. There were banks from America, Europe, Australia and Asia (mainly Indian banks like ICICI, HDFC etc) that were included in the configs and being actively targeted by this malware. At some point later, the MalActors probably came to realise that they would be better off focussing their efforts in the western world, mainly to maximise their profits.
We saw a great focus from the very start on Australian and NZ banking institutions when it came to the target configs. At one time, most of the top-tier and second-tier banks in Australia were being targeted by this malware. Also, its been reported in the past that Australian region was one of the first regions to see deployment of this malware, when it was first released. A very interesting thing to note is that only one Australian bank still remains in the target list — CBA (it is also one of the first banks to be targeted originally, when Trickbot first made appearance in the wild).
All major banks of the world have been targets since the beginning and most of them are still there.
Change of direction — Interesting new targets
A s we dive deeper into the inner workings and techniques of this malware, we discover many interesting things about the way it has been designed to function as framework for stealing sensitive information and converting that data into a revenue generating process.
Apart from the straight-forward banking targets, where the MalActors are able to steal money from the victims’ accounts, it is interesting to see that they have started targeting entities that are not banks but hold very important information. Information that can be used to gain access to other entities, can be sold for a substantial dollar value or simply used for profiling victims or extortion.
These are the non-banking targets that we found to be interesting:
These sites are targeted to gain access to victims’ payroll information. Information such as salary slips (which give out more than just salary info) and tax-related documents can be obtained from these sites. This info is highly sensitive and very personal. The MalActors can use this info in many ways. Having knowledge of someone’s personal finance can be leveraged in many obvious and not-so-obvious ways. For example, this info can be then used to craft up special ransomware to target these individuals and then the ransom amount can be set in accordance with their ability to pay. We can see that there are three such service providers that are targeted currently:
ADP — adp.com
https://*runpayroll.adp.com/*PAYCHEX — paychex.com/
https://myapps.paychex.com/*_remote/*SurePayroll - surepayroll.com
This one was a big surprise. These are companies that provide access to records that cover a huge landscape which includes, but is not restricted to, legal information, debt-collection, law enforcement related information, healthcare, insurance, government, corporates and more. What exactly are they planning to do with this information is anyone’s guess and not a hard one at that. It looks like they are trying to get into these systems without having to pay for it and then not having to worry about any of it being traced back to them if or when they end up using this information illegally. Although there’s no direct financial gain by targeting these services, the information extracted by using these services can be very valuable. Again, obvious use-cases that come to mind are selling this info on the dark web and/or extortion.
These are the two services that are targeted for records:
Targets in this category are not that big a surprise and are the closest in nature to the biggest target category, banking. These site include share-trading platforms, money-exchange websites etc. The financial gain the MalActors are going for seems to be quite straight-forward — money. If they are successful in getting access to the victims’ accounts, they then have the ability to transfer funds out of these accounts.
This one is interesting — it’s a crypto currency exchange. Now, the currency itself is not doing as well as it was a while back but the potential money these exchanges hold is quite staggering. There are a lot of people (I’m looking at you) that are waiting for the next boom to happen! At this time, we can see one bitexchange in the target list and it is fully functional (no point in targeting mt. gox).
This is another interesting entry — fleetone.com. Its hard to tell what exactly the MalActors stand to gain from this site, other than the obvious information stealing, which can then be used in many different ways. The most beneficial and lucrative way to monetise this information is phishing emails sent to users, with some financial angle, based on the financial activity found on this website.
One of the targets happens to be a hotel chain with over 6800 hotels globally. Its hard to tell if the MalActors are going after the saved PI belonging to the users or their loyalty credits. Most probably both, as the PI can be used in a number of ways to monetise the stolen information and at the same time, loyalty credits can sold/exchanged for financial gain. It is interesting to see they have picked only one hotel chain at this time, as this indicates this could be a test run and we could see more hotels added to this list, based on the results of this campaign.
These have been a target for a long time. At the time of this publication, there are two eCommerce targets and they are the biggest players in the game. You guessed it, Amazon and eBay.
Trickbot targets by Industry
Banking still constitutes the biggest part of the target list and for obvious reasons. As noted above though, there has been a big shift back to the western banking institutions and Asian banks are completely out of the list.
Financial services industry targets have grown and have an interesting mix of trading platforms and money exchange services.
Most interesting segments are the records services and the payroll services. These can be the most devastating targets from the victims’ point of view as they can be used for far more devious purposes than just financial gain.
Here’s a chart that gives us an idea of the target segment sizes by industries:
Trickbot targets by Geo-location
The biggest chunk of the targets are located in the US, closely followed by Europe. There are a few Canadian targets and the lowest number is Australian. At this time, New Zealand and India have completely dropped off the list.
Germany has the highest number of targets in the list in the European region, followed by Austria and Spain.
Most of the non-banking targets are US-based.
Trickbot target banks by country
Since banking still is the largest part of the target scope for Trickbot, it is a good idea to break it down based on the country of operation. This list is ever-changing but the bulk of these institutions remain in the list for at least a while.
web*.secureinternetbank.com (multiple targets)
express.53.com**see the extended list for wild-card targets
lzo.com/de**see the extended list for wild-card targets
While analysing the config, one of the first things that leaps out at you is the excessive use of wildcards in the target URIs. The entire config is full of them. There are wild-carded URIs specific to target entities and then there are more that are non-specific, very general in nature, based purely on substrings. These are the interesting ones.
The use of wild-carded URIs increases the scope of the targets for this malware, significantly. For example, the entry “/wcmfd/wcmpw/CustomerLogin” returns at least 8 targets at the time of this writing. On the other hand, the entry “https://*/uux.aspx” returns a possible target list that stretches to more than a hundred websites, at the time of this writing. This is a very important piece of information that needs to be factored in when researching the broader targeting of online entities by Trickbot.
If we keep digging in and adding up the potential targeting including the broader, extended lists of entities covered by the wild-carded entries in the config, the overall list grows quite significantly, to hundreds of potential targets. Further to that, most of these potential targets will never find out if they’re targeted in the place, as their websites are not specifically included in the target lists of the Trickbot config. This is a major finding, that has not been reported on previously.
Here are some examples of Wild-carded URI targeting:
— Extended targets:
— Extended targets:
Extended (wildcards) list of German banks:http://webapp.de/ptlweb/WebPortal*
https://www.voba-bigge-lenne.de/ptlweb/WebPortalVolksbank - subsidiaries/branches:https://www.husumer-volksbank.de/ptlweb/WebPortal
— Extended targets:
The full list of the targets covered by this wild-card:
Extended list (wildcards) of US banks:savvyatdubuquebank.com/DubuqueBankandTrustOnline/uux.aspx
Here are some more interesting wild-carded URIs:
*/EBC_EBC1961/* - targets multiple banks
The above targets cover a wide range of banking sites.
Threat Intelligence: The C2 infra-structure
Distribution chain for Trickbot is quite straight-forward. The initial infection-vector is phishing, from there on it follows the usual flow of execution, which has been covered in one of my previous publications, available here.
A look at the C2 infra-structure from a threat-intel angle reveals interesting findings. The servers are usually setup for multiple paths of delivery, through different URIs. Some of these servers have been used to distribute more than one payload and some of them are easy to trace/connect as they have been known to serve binaries that are common to multiple C2 servers. This is interesting and important information from a threat-hunting angle, and can be used by threat-intel teams to provide meaningful and effective mitigations/protections for their organisations.
It is possible to connect the dots and build a useful repository of C2 servers for Trickbot and use it for tracking future campaigns (a task that is currently being executed by the author). Also, this information can be used to see what other malware families share infra-structure and how researchers can use this information to build better intelligence around these malware families (also currently an active project).
It is very interesting to see how the infra-structure is used effectively with room for collaboration between MalActors.
Trickbot has been around for quite some time now. It started as a banking malware, targeting banking institutions to start with and then pivoted into other, similar industries, with the sole purpose of maximising profits. Recently, the MalActors have broadened their target base even more, venturing into non-banking institutions and also targeting really interesting sectors such as records, legal and bit-exchanges. We also saw a fleet-management company targeted in the latest config.
The biggest and most-effective technique has been the use of wild-carded target URIs — this takes the targeting to the next level. As we saw earlier, this technique serves two purposes, first one is to increase the targeting (eg. hundreds of banks targeted in one line of config) and the second one is to hide the targets from researchers (the actual names are not included in the list at any point). This is the most efficient, well-thought and perfectly executed technique in a financial malware.
We know that Trickbot is a well-coded, sophisticated and modular malware. Based on that alone, we should expect it to keep evolving, moving into different directions (most of the current modules were added gradually after the initial release — lateral movement, outlook-targeting, POS targeting etc). The MalActors behind it will keep researching and looking for new sources of revenue, new industries to target and new ways of doing so. We haven’t seen the last of it or even the best of it yet. And we’ll keep researching this interesting malware in the future.