Goal: Reverse the latest Trickbot’s module called “shareDll32” used for malware spreading in network shares. It is meant for effective operation in tandem with its worm32Dll module.
Source:
- share32Dll (encoded) (6392917a209ad5879f27d38f1fef295d9f5c3c42)
- share32Dll (decoded) (85cbf2118fa61b25b8e22f5ea9fa270f4d1643ee)
- Trickbot loader (4457952ab8bcc1f0ede8f49d013d059db5262dee)
- share32Dll (URL) hxxp://duhasti8[.]beget[.]tech/toler[.]png
- worm32Dll (URL) hxxp://duhasti8[.]beget[.]tech/worming[.]png
Background
While analyzing one of the latest Trickbot group tag “mac1/tot1/tt0002” email spam campaign (subject: “Copy of Invoice – {rand}”) (thanks to @dvk01uk) identified a newly deployed “share32Dll” module.
The decoded module contains four usual Trickbot exported functions:
Start
Control
FreeBuffer
Release
The observed Trickbot main config module was as follows (version 1000053):
1000053
tt0002
91.83.88[.]51:449
188.137.122[.]105:449
188.137.122[.]5:449
187.248.44[.]85:449
187.248.44[.]84:449
194.87.99[.]117:443
195.133.145[.]222:443
185.99.2[.]78:443
88.150.197[.]173:443
195.133.144[.]27:443
194.87.99[.]225:443
185.99.2[.]79:443
62.141.34[.]242:443
194.87.93[.]97:443
5.133.179[.]236:443
185.212.128[.]91:443
91.211.246[.]131:443
185.99.2[.]100:443
95.46.45[.]164:443
185.212.128[.]90:443
107.167.24[.]135:443
194.87.92[.]223:443
194.87.238[.]225:443
178.156.202[.]74:443
178.156.202[.]117:443
93.171.216[.]33:443
93.171.217[.]7:443
Summary
share32Dll, compiled via ‘GCC: (Rev1, Built by MSYS2 project) 6.3.0,’ allows Trickbot operators to spread in network shares and establishes persistency via registering services leveraging common Windows API calls. This module appears to be meant to be used in tandem with the worm32Dll module to spread Trickbot across local networks and shares via ETERNALBLUE SMB exploit and LDAP queries.
The observed methods in the share32Dll module are as follows:
I. Download Trickbot loader copy from the payload URL
“hxxp://duhasti8[.]beget[.]tech/toler[.]png” and save it locally as “setup.exe“leveraging WINHTTP.dll API calls with the so-called “WormShare” function, named by the Trickbot operators.
The following API calls are used:
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReceiveResponse
WinHttpCloseHandle
II. Enumerate local network resources using Mpr DLL API calls in combination with GetComputerNameW for possible username directories shares:
WNetOpenEnumW* (WORD dwScope = ‘2u’)*
WNetCancelConnection2W
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW*
WNetAddConnection2W
*The parameter ‘2u’ ensures all connections in the network are in scope.
v16 = WNetOpenEnumW(2u, 0, 0, a1, &hEnum);,
if ( !v16 )
{
v1 = GetProcessHeap();
Dst = HeapAlloc(v1, 8u, dwBytes);
if ( Dst )
{
do
{
memset(Dst, 0, dwBytes);
v15 = WNetEnumResourceW(hEnum, &cCount, Dst, &dwBytes);
if ( v15 )
{
if ( v15 != 259 )
break;
}
else
{
while ( v23 < cCount )
{
if ( *((_DWORD *)Dst + 8 * v23 + 2) == 2 )
{
nSize = 15;
Str1 = 92;
v7 = 92;
if ( GetComputerNameW((LPWSTR)&v8, &nSize) == 0 )
goto LABEL_15;
if ( wcscmp(&Str1, *((const wchar_t **)Dst + 8 * v23 + 5)) != 0 )
{
memset(&NetResource, 0, 0x20u);
wsprintfW(&v5, “%”, *((_DWORD *)Dst + 8 * v23 + 5));
NetResource.lpRemoteName = &v5;
v16 = WNetAddConnection2W(&NetResource, 0, 0, 0);
if ( !v16 )
{
service_create(*((LPCWSTR *)Dst + 8 * v23 + 5));
WNetCancelConnection2W(NetResource.lpRemoteName, 0, 0);
}
}
}
if ( *((_DWORD *)Dst + 8 * v23 + 3) & 2 )
service_create1((LPNETRESOURCEW)Dst + v23);
++v23;
}
}
}
while ( v15 != 259 );
}
}
LABEL_15:
if ( hEnum )
WNetCloseEnum(hEnum);
III. Copies itself to the previously mapped network shares ADMIN$ and C$ as “techsvc[.]exe” and creates a rogue service “TechnicalSvc” using OpenSCManagerW, CreateServiceW, & StartServiceW API calls in the following location:
- %SystemDrive%\techsvc[.]exe
- %SystemRoot%\system32\techsvc[.]exe
Template module configuration in XML format is as follows:
yes
Reverse Engineering, Malware Deep Insight 