TrickBot

Forum for analysis and discussion about malware.
Post Reply
tildedennis
Posts: 32
Joined: Mon Jun 17, 2013 7:57 pm

TrickBot

Post by tildedennis » Thu Oct 20, 2016 6:58 pm

* https://twitter.com/hasherezade/status/ ... 1998101505
* http://www.threatgeek.com/2016/10/trick ... ction.html

Sample (attached): https://virustotal.com/en/file/2c4eab03 ... /analysis/

Each of the <srv>s are queried for a <servconf>:

Code: Select all

<servconf>
<expir>1480550400</expir>
<plugins>
<psrv>80.79.114.179:443</psrv>
</plugins>
Modules are downloaded from <psrv>s. 2 modules attached: systeminfo and injectDll. At the end of each module is a <moduleconfig>, something like this for injectDll:

Code: Select all

<moduleconfig>
<autostart>yes</autostart>
<needinfo name="id"/>
<needinfo name="ip"/>
<autoconf>
<conf ctl="dinj" file="dinj" period="90"/>
<conf ctl="sinj" file="sinj" period="90"/>
<conf ctl="dpost" file="dpost" period="180"/>
</autoconf>
</moduleconfig>
The <conf> files are downloaded from <srvs> again. dinj targets .au banks and looks like:

Code: Select all

<igroup>
<dinj>
<lm>*/onlineserv/CM*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
<igroup>
<dinj>
<lm>*ibanking.stgeorge.com.au/ibank/loginPage.action*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
<igroup>
<dinj>
<lm>*ib.nab.com.au/nabib/index.jsp*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
<igroup>
<dinj>
<lm>*banking.westpac.com.au/wbc/banking/handler*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
<igroup>
<dinj>
<lm>*anz.com/IBAU/BANKAWAYTRAN*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
<dinj>
<lm>*anz.com/INETBANK/login.asp*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
<igroup>
<dinj>
<lm>*cibconline.cibc.com/olbtxn/authentication/*.cibc*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
dpost like:

Code: Select all

<dpost>
<handler>http://188.138.1.53:8082</handler>
</dpost>
And sinj is empty.
You do not have the required permissions to view the files attached to this post.

entdark
Posts: 5
Joined: Mon Sep 26, 2016 12:24 pm

Re: TrickBot

Post by entdark » Fri Oct 21, 2016 6:18 am

all samples for the time being are using pretty much the same config, the only thing changing is the ver and gtag
this one ver is 00003 whilst the first ones were 000002 and gtag was tmt2

Code: Select all

<ver>1000003</ver>
<gtag>tt00002</gtag>
<servs>
<srv>91.219.28.77:443</srv>
<srv>193.9.28.24:443</srv>
<srv>37.1.209.51:443</srv>
<srv>138.201.44.28:443</srv>
<srv>188.116.23.98:443</srv>
<srv>104.250.138.194:443</srv>
<srv>46.22.211.34:443</srv>
<srv>68.179.234.69:443</srv>
<srv>5.12.28.0:443</srv>
<srv>36.37.176.6:443</srv>
<srv>37.109.52.75:443</srv>
<srv>84.232.251.0:443</srv>

sysopfb
Posts: 96
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: TrickBot

Post by sysopfb » Tue Apr 17, 2018 11:48 pm

Apparently the loader being used by TrickBot which I was calling TrickLoader added UACME #41 back in December atleast according to this post by F5 labs https://labsblog.f-secure.com/2017/12/1 ... christmas/ - thanks Antelox for your google-fu on finding this!


Kind of interesting since that was right around the time IcedId added #41 as well which was documented on these forums.

I was running through the loader which has added a lot of obfuscation including string obfuscation and function XOR encoding/decoding routines as it needs each function.

I outlined my research notes here: https://sysopfb.github.io/malware/2018/ ... uacme.html

Doc and TrickBot sample attached
You do not have the required permissions to view the files attached to this post.

Post Reply