Let’s Learn: Introducing New Trickbot LDAP "DomainGrabber" Module

Goal: Reverse the latest Trickbot’s module called “DomainGabber,” also known as “domainDll32,” used for LDAP harvesting of domain controller configuration.

Source:

Background

While analyzing one of the latest Trickbot group tag “ser1812/tt0002” (version 1000105-1000106) loaders shared by @dvk01uk found an interesting a Trickbot module titled “domainDll” module. (Tip: the “tt0002” group tag is known as a “Trick Test” tag; it is oftentimes deployed to update the existing config on the victim machine.)

Trickbot “DomainGrabber” outline:

I. Lightweight Directory Access Protocol (LDAP) query for domain controllers
II. Connection to “SYSVOL” domain controller
III. Harvesting domain controller XML configuration

As usual, the decoded module contains four Trickbot exported functions:

Start
Control
FreeBuffer
Release
The observed Trickbot main config module was as follows (version 1000106):
   1000106
   tt0002
   
      200.111.97[.]235:449
      177.250.126[.]51:449
      94.250.253[.]142:443
      82.146.48[.]44:443
      80.87.199[.]190:443
      82.146.49[.]135:443
      82.146.48[.]187:443
      37.46.133[.]10:443
      92.53.91[.]15:443
      188.120.243[.]242:443
      92.53.66[.]177:443
      92.53.78[.]228:443
      92.53.66[.]162:443
      82.146.48[.]243:443
      37.46.131[.]45:443
      78.24.218[.]168:443
      37.46.133[.]14:443
      62.109.17[.]228:443
      82.146.61[.]103:443
      82.146.61[.]140:443
      82.146.61[.]247:443
      92.63.96[.]24:443
      194.87.232[.]167:443
      185.158.114[.]164:443
      37.230.112[.]104:443
      194.87.103[.]83:443
      92.53.91[.]113:443
      37.230.113[.]100:443
      95.213.195[.]221:443
      37.230.113[.]118:443
      194.87.238[.]4:443
      194.87.98[.]166:443
      195.2.253[.]125:443
      94.250.248[.]168:443
      179.43.160[.]53:443
      37.46.133[.]251:443
      194.87.144[.]222:443
   
   
     
     
   
Summary
“domainDll32,” compiled via ‘GCC: (Rev1, Built by MSYS2 project) 7.2.0,’ allows Trickbot operators to collect domain controller information once they are already on the compromised machine. This module is internally called “DomainGrabber” and accepts command “getdata” in order to start harvest domain information. domainDll appears to be aimed at exploiting networks with unsecured domain controllers.

More specifically, this module targets “SYSVOL” for domain configuration information data. According to Microsoft, “SYSVOL is simply a folder which resides on each and every domain controller within the domain. It contains the domains public files that need to be accessed by clients and kept synchronised between domain controllers. The default location for the SYSVOL is C:\Windows\SYSVOL although it can be moved to another location during the promotion of a domain controller. It’s possible but not recommended to relocate the SYSVOL after DC promotion as there is potential for error. The SYSVOL folder can be accessed through its share \\domainname.com\sysvol or the local share name on the server \\servername\sysvol.” 

What is more, SYSVOL stores various logon scripts, group policy and domain configuration XML data that is synchronized among all domain controllers in the network. Essentially, Trickbot grabs credential and group policy information stored in SYSVOL as follows:

groups.xml
services.xml
scheduledtasks.xml
datasources.xml
printers.xml
drives.xml

Sean Metcalf has an interesting write-up on how LDAP can be exploited for credential and information harvesting highlighting this similar approach leveraged by the Trickbot gang. 


https://platform.twitter.com/widgets.jsI. This Trickbot module was programmed leveraging Active Directory Service Interfaces (ADSI) APIs  to query LDAP.

IIDFromString “{001677D0-FD16-11CE-ABC4-02608C9E7553}
IID_IADsContainer is defined as 001677D0-FD16-11CE-ABC4-02608C9E7553
ads_open = ADsOpenObject(“G”, 0, 0, 1u, &iid, &v11);
DsOpenObject function binds to an ADSI object using explicit user name and password starting with the letter “G”
IIDFromString(L”{00020404-0000-0000-C000-000000000046}”, &iid);
The GUID associated with the IEnumVARIANT interface
IIDFromString(L”{109BA8EC-92F0-11D0-A790-00C04FD8D5A8}”, &iid); 
-IID_IDirectorySearch is defined as 109BA8EC-92F0-11D0-A790-00C04FD8D5A8
The module queries all domain controllers as follows:

(&(objectCategory=computer) 


(userAccountControl:1.2.840.113556.1.4.803:=8192))

II. Trickbot connects to domain  controller and queries SYSVOL leveraging parsing the aforementioned LDAP query.

The relevant pseudocoded C++ function is as follows:

                str_func((int)&name, 260, “%ls”, *(_DWORD *)(v6 + 8));
                v26 = gethostbyname(&name);
                if ( v26 )
                {
                  v25 = (struct in_addr *)*v26->h_addr_list;
                  v2 = inet_ntoa(*v25);
                  MultiByteToWideChar(0, 1u, v2, -1, &WideCharStr, 32);
                  v30 = DsRoleGetPrimaryDomainInformation(0, DsRolePrimaryDomainInfoBasic, &Buffer);
                  if ( v30 )
                    return v21;
                  snwprintf_s(&DstBuf, 260u, 260u, L”\\\\%ls\\SYSVOL\\%ls“, &WideCharStr, *((_DWORD *)Buffer + 3));
                  memset(&Dst, 0, 0x20u);
                  lpName = &DstBuf;
                  v30 = WNetAddConnection2W((LPNETRESOURCEW)&Dst, 0, 0, 0);
                  if ( !v30 )
                  {
                    finder_files((int)&DstBuf);
                    WNetCancelConnection2W(lpName, 0, 0);

III. Finally, Trickbot queries stored domain controller for sensitive XML configurations such as scheduledtasks.xml, datasources.xml printers.xml, and etc.

Some of the mitigations against LDAP exploitation are well-documented in Metcalf’s article listed above. As a general rule of thumb, such configuration files should be secured from any unauthorized access in SYSVOL, and access to them should be monitored.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s