Month: September 2017

Let’s Learn: Reversing Trickbot Banking Trojan’s New "WormShare" Persistence Module

Goal: Reverse the latest Trickbot’s module called “shareDll32” used for malware spreading in network shares. It is meant for effective operation in tandem with its worm32Dll module.
Source:
Background
While analyzing one of the latest Trickbot group tag “mac1/tot1/tt0002” email spam campaign (subject: “Copy of Invoice – {rand}”) (thanks to @dvk01uk) identified a newly deployed “share32Dll” module.
The decoded module contains four usual Trickbot exported functions:
Start
Control
FreeBuffer
Release
The observed Trickbot main config module was as follows (version 1000053):
   1000053
   tt0002
  
      91.83.88[.]51:449
      188.137.122[.]105:449
      188.137.122[.]5:449
      187.248.44[.]85:449
      187.248.44[.]84:449
      194.87.99[.]117:443
      195.133.145[.]222:443
      185.99.2[.]78:443
      88.150.197[.]173:443
      195.133.144[.]27:443
      194.87.99[.]225:443
      185.99.2[.]79:443
      62.141.34[.]242:443
      194.87.93[.]97:443
      5.133.179[.]236:443
      185.212.128[.]91:443
      91.211.246[.]131:443
      185.99.2[.]100:443
      95.46.45[.]164:443
      185.212.128[.]90:443
      107.167.24[.]135:443
      194.87.92[.]223:443
      194.87.238[.]225:443
      178.156.202[.]74:443
      178.156.202[.]117:443
      93.171.216[.]33:443
      93.171.217[.]7:443
  
  
     
     
  
   
Summary
share32Dll, compiled via ‘GCC: (Rev1, Built by MSYS2 project) 6.3.0,’ allows Trickbot operators to spread in network shares and establishes persistency via registering services leveraging common Windows API calls. This module appears to be meant to be used in tandem with the worm32Dll module to spread Trickbot across local networks and shares via ETERNALBLUE SMB exploit and LDAP queries.
The observed methods in the share32Dll module are as follows:
I. Download Trickbot loader copy from the payload URL 
hxxp://duhasti8[.]beget[.]tech/toler[.]png and save it locally as “setup.exe“leveraging WINHTTP.dll API calls with the so-called “WormShare” function, named by the Trickbot operators. 
The following API calls are used:
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReceiveResponse
WinHttpCloseHandle

II. Enumerate local network resources using Mpr DLL API calls in combination with GetComputerNameW for possible username directories shares:

WNetOpenEnumW* (WORD dwScope = ‘2u’)* 
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW*
WNetAddConnection2W
*The parameter ‘2u’ ensures all connections in the network are in scope.
v16 = WNetOpenEnumW(2u, 0, 0, a1, &hEnum);,
                                                
  if ( !v16 )
  {
    v1 = GetProcessHeap();
    Dst = HeapAlloc(v1, 8u, dwBytes);
    if ( Dst )
    {
      do
      {
        memset(Dst, 0, dwBytes);
        v15 = WNetEnumResourceW(hEnum, &cCount, Dst, &dwBytes);
        if ( v15 )
        {
          if ( v15 != 259 )
            break;
        }
        else
        {
          while ( v23 < cCount )
          {
            if ( *((_DWORD *)Dst + 8 * v23 + 2) == 2 )
            {
              nSize = 15;
              Str1 = 92;
              v7 = 92;
              if ( GetComputerNameW((LPWSTR)&v8, &nSize) == 0 )
                goto LABEL_15;
              if ( wcscmp(&Str1, *((const wchar_t **)Dst + 8 * v23 + 5)) != 0 )
              {
                memset(&NetResource, 0, 0x20u);
                wsprintfW(&v5, “%”, *((_DWORD *)Dst + 8 * v23 + 5));
                NetResource.lpRemoteName = &v5;
                v16 = WNetAddConnection2W(&NetResource, 0, 0, 0);
                if ( !v16 )
                {
                  service_create(*((LPCWSTR *)Dst + 8 * v23 + 5));
                  WNetCancelConnection2W(NetResource.lpRemoteName, 0, 0);
                }
              }
            }
            if ( *((_DWORD *)Dst + 8 * v23 + 3) & 2 )
              service_create1((LPNETRESOURCEW)Dst + v23);
            ++v23;
          }
        }
      }
      while ( v15 != 259 );
    }
  }
LABEL_15:
  if ( hEnum )
    WNetCloseEnum(hEnum);

III. Copies itself to the previously mapped network shares ADMIN$ and C$ as “techsvc[.]exe” and creates a rogue service “TechnicalSvc” using OpenSCManagerW, CreateServiceW, & StartServiceW API calls in the following location:
  • %SystemDrive%\techsvc[.]exe
  • %SystemRoot%\system32\techsvc[.]exe
Template module configuration in XML format is as follows:
yes

Let’s Learn: Trickbot Banking Trojan Adds Credential Stealer to Inject Module & Targets Windows 10 Edge Browser

Goal: Reverse the latest Trickbot’s module called “testnewinj32Dll” and its methods to steal authentication banking data via methods known as webinjects, web fakes, and redirection attacks.
Source (*already decoded modules):
PDB: 
F:\\Projects\\browsers_engine\\Callback\\Builds\\Bin\\x86\\Release_nologs\\rtbroker_dll.pdb


Background
While analyzing one of the latest Trickbot group tag “mac1” email spam campaign (subject: “Emailed Invoice – {rand}”) with @James_inthe_box, identified a newly deployed “testwebinj32Dll,” which was meant to substitute the previous “inject32Dll” module.
The new decoded module contains four usual Trickbot exported functions:

  • Start
  • Control
  • FreeBuffer
  • Release
The observed Trickbot main config module was as follows:
   1000047
   mac1
   
      91.83.88[.]51:449
      193.19.118[.]207:443
      185.15.245[.]102:443
      185.15.245[.]103:443
      199.48.160[.]60:443
      195.133.48[.]80:443
      147.135.196[.]128:443
      194.87.95[.]120:443
      194.87.99[.]62:443
      194.87.239[.]114:443
      94.242.224[.]218:443
      195.133.147[.]135:443
      185.158.113[.]62:443
      194.87.146[.]180:443
      194.87.99[.]220:443
      194.87.95[.]122:443
      194.87.111[.]6:443
      195.133.197[.]187:443
      194.87.99[.]210:443
      169.239.129[.]42:443
      178.156.202[.]97:443
   
   
      
      
   
If we compare the older “inject32Dll” and “newtestinj32Dll,” we observe the new added functions targeting Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge.

The new observed methods in the testnewinj3Dll module are as follows:
I. Internet Explorer browser credential grabber
Obtains login data from from Internet Explorer in from the registry key HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 based on the key Microsoft_WinInet_* (format: %2.2X)
II. Google Chrome browser credential grabber
Obtains login data from Google Chrome browser in %APPDATA%\Google\Chrome\User Data\Default:
\Login Data.bak:
select origin_url, username_value, password_value, length(password_value) from logins where blacklisted_by_user = 0
\History:
select u.url,v.visit_time from visits as v join urls as u on u.id = v.url
III. Microsoft Edge browser credential grabber
Obtains login data from the latest Windows 10 using native undocumented functions of Windows Vault API to enumerate and extract credentials stored by Microsoft Windows Vault.
IV. Mozilla Firefox browser credential grabber
Obtains Mozilla Firefox credentials in %APPDATA%\Mozilla\Firefox\Profiles:
\logins.json:
  • “hostname”:”
  • “encryptedUse:”
  • rname”:”
  • “encryptedPassword”:”
\places.sqlite:
  • select url, last_visit_date from moz_places where last_visit_date > 0 order by last_visit_date desc
Primer on Trickbot Injects
Trickbot targets the following processes:
  • chrome.exe
  • iexplore.exe
  • firefox.exe
  • microsoftedgecp.exe
  • runtimebroker.exe
Trickbot’s reflective injection works as follows:
  • Open target process and allocate memory address in remote process via VirtualAllocEx
  • Copy function WriteProcessMemory into the allocated memory space
  • Copy shellcode WriteProcessMemoryinto the allocated memory space
  • Call FlushInstructionCache API to make sure our changes are written right away
  • Call inject RemoteThread functioncall
  • Call ResumeThread
  • Else, call undocumented API function RtlCreateUserThreadto start execution in the remote process, using the offset address of the reflective loader function as the entry point

Hooks Internet Explorer and Microsoft Edge in wininet.dll library API calls:
  • HttpSendRequestA
  • HttpSendRequestW
  • HttpSendRequestExA
  • HttpSendRequestExW
  • InternetCloseHandle
  • InternetReadFile
  • InternetReadFileExA
  • InternetQueryDataAvailable
  • HttpQueryInfoA
  • InternetWriteFile
  • HttpEndRequestA
  • HttpEndRequestW
  • InternetQueryOptionA
  • InternetQueryOptionW
  • InternetSetOptionA
  • InternetSetOptionW
  • HttpOpenRequestA
  • HttpOpenRequestW
  • InternetConnectA
  • InternetConnectW 
Hooks Mozilla Firefox Browser in nspr4.dll library API calls:
  • PR_OpenTCPSocket
  • PR_Connect
  • PR_Close
  • PR_Write
  • PR_Read 
Hooks Chrome in chrome.dll library API calls:
  • ssl_read
  • ssl_write
Template webinject configuration in XML format is as follows:
  yes
  yes
  
  
  
    
    
    
  
Since Windows 10 comes with a new browser, “Microsoft Edge,” Trickbot operators need their banking Trojan to operate on that software. To implement form grabbing and webinjections in the Windows 10 Edge browser, Trickbot’s rogue rtlbroker hooks the microsoftedgecp.exe process. Normally, runtimebroker.exe is the parent process of the Microsoft Edge browser on Windows 10 machines. 
The following four API calls being hooked are in child Microsoft Edge via rogue rtlbroker.dll allowing Trickbot operators to intercept and manipulate Microsoft Edge calls:
  • CreateProcess
  • CreateProcessW
  • CreateProcessAsUserA
  • CreateProcessAsUserW