Source:
- domainDll32 (encoded) (cec42d8ef68aae0a5da8230db75d91fd)
- domainDll32 (decoded) (1e2791877da02d49998dea79515a89ca)
- Trickbot loader (b4d342dc89bc16a1acccd40204064830)
looks like anew #trickbot . Don’t know distribution method. hxxp://sumnercapital.com[.]au/ser1812.png not doing much in sandboxes. https://t.co/hDrMFerQqU https://t.co/WUhfRXk5Xf https://t.co/6YGQ6L7dhn @VK_Intel @James_inthe_box @malware_traffic @iCyberFighter— My Online Security (@dvk01uk) December 18, 2017
Background
Trickbot “DomainGrabber” outline:
II. Connection to “SYSVOL” domain controller
III. Harvesting domain controller XML configuration
As usual, the decoded module contains four Trickbot exported functions:
More specifically, this module targets “SYSVOL” for domain configuration information data. According to Microsoft, “SYSVOL is simply a folder which resides on each and every domain controller within the domain. It contains the domains public files that need to be accessed by clients and kept synchronised between domain controllers. The default location for the SYSVOL is C:\Windows\SYSVOL although it can be moved to another location during the promotion of a domain controller. It’s possible but not recommended to relocate the SYSVOL after DC promotion as there is potential for error. The SYSVOL folder can be accessed through its share \\domainname.com\sysvol or the local share name on the server \\servername\sysvol.”
What is more, SYSVOL stores various logon scripts, group policy and domain configuration XML data that is synchronized among all domain controllers in the network. Essentially, Trickbot grabs credential and group policy information stored in SYSVOL as follows:
Sean Metcalf has an interesting write-up on how LDAP can be exploited for credential and information harvesting highlighting this similar approach leveraged by the Trickbot gang.
Have you scanned the SYSVOL share on your DCs for Group Policy Preference passwords recently?Hint: attackers havehttps://t.co/wGiESxYnOx pic.twitter.com/xf8G2y8L0C
— Sean Metcalf (@PyroTek3) May 30, 2017
https://platform.twitter.com/widgets.jsI. This Trickbot module was programmed leveraging Active Directory Service Interfaces (ADSI) APIs to query LDAP.
(userAccountControl:1.2.840.113556.1.4.803:=8192))
II. Trickbot connects to domain controller and queries SYSVOL leveraging parsing the aforementioned LDAP query.
The relevant pseudocoded C++ function is as follows:
v26 = gethostbyname(&name);
if ( v26 )
{
v25 = (struct in_addr *)*v26->h_addr_list;
v2 = inet_ntoa(*v25);
MultiByteToWideChar(0, 1u, v2, -1, &WideCharStr, 32);
v30 = DsRoleGetPrimaryDomainInformation(0, DsRolePrimaryDomainInfoBasic, &Buffer);
if ( v30 )
return v21;
snwprintf_s(&DstBuf, 260u, 260u, L”\\\\%ls\\SYSVOL\\%ls“, &WideCharStr, *((_DWORD *)Buffer + 3));
memset(&Dst, 0, 0x20u);
lpName = &DstBuf;
v30 = WNetAddConnection2W((LPNETRESOURCEW)&Dst, 0, 0, 0);
if ( !v30 )
{
finder_files((int)&DstBuf);
WNetCancelConnection2W(lpName, 0, 0);
III. Finally, Trickbot queries stored domain controller for sensitive XML configurations such as scheduledtasks.xml, datasources.xml printers.xml, and etc.
Some of the mitigations against LDAP exploitation are well-documented in Metcalf’s article listed above. As a general rule of thumb, such configuration files should be secured from any unauthorized access in SYSVOL, and access to them should be monitored.
Reverse Engineering, Malware Deep Insight 