Trickbot has undergone significant development over the last couple of months. It has long had the ability to update its configs and capabilities via C&C, but it now is being delivered by SendGrid, has new obfuscation techniques for core functionality, new anti-detection measures, uses signed certificates, and is being used as the lynchpin of a very effective three pronged attack chain.
Given the rapid pace of development, widespread use, and the increased return value for successful exploits, it is highly recommended that commodity malware such as Trickbot be monitored much more closely. To mitigate risk, ensure that networks and software, both internal and those of vendors and suppliers, are kept up-to-date and phishing awareness/email safety training is provided to employees on a recurring basis.
Tools, Tactics, & Procedures
TrendMicro reported that Trickbot is using new modular capabilities have surged well beyond banking malware. New TTPs now include hiding core functionality, moving laterally through networks, and using signed certificates for its domains.
In mid June, SonicWall Labs found that Trickbot was hiding its core functionality by embedding it into the code base of a game that doesn’t actually execute. It’s a novel way of obfuscating the malware’s functionality from researchers and it shows an evolution in the security of the tool.
It is also now being used as part of what some have dubbed the Triple Threat attack which includes Emotet and Ryuk Ransomware. In this particular attack chain, Emotet is used for the initial infection and anti-detection. It is then followed by Trickbot which is used to harvest credentials and lateral movement through the network. Based on the harvested credentials and network information gathered, if the compromised target is determined to be of high value, Ryuk ransomware will be deployed and will also encrypt shares available on the network to any infected machines and servers.
In the latest version of Trickbot, first reported June 26, 2019, researchers are finding digitally signed certs from Thawke. This gives the downloader and C2 domains an air of authenticity and helps the malware evade many of the security measures used in browsers and AVs. There are currently four known signers being used:
- Eithan Consulting, Ltd.
- Water Connections, Ltd.
- Cold Bear, Ltd.
- Buldok, Ltd.
Trickbot is certainly not the first malware to be sent via SendGrid, but it has been reported doing so in the last couple of weeks. In mid-August Cofence reported Orcus malware being shipped via SendGrid. SendGrid is typically whitelisted and thus this vector allows threat actors to at least avoid initial detection. Much of the detection and reporting SendGrid by Trickbot has been reported via Twitter analysts and online sandboxes.
For those that are members of TruSTAR we’ve included links to community reports for further elucidation of what TruSTAR users are seeing and sharing.
Recognizing that Trickbot is pivotal to an increasingly successful Triple Threat attack chain, it is imperative to monitor for Emotet and Ryuk ransomware activity as well. Ryuk infections have been known to lie dormant for many months as it is spread through the network. This is critical because part of this pattern is determining how much a target can potentially pay before detonating the ransomware. This has cost city and state governments hundreds of thousands of dollars and given that one of Ryuk’s original targets were enterprises, companies, especially those with multinational footprints, should be hypervigilant.
Recommended Mitigation Steps
- One of Trickbot’s primary means of traversing a network is via the Windows SMB Server vulnerability. MS17-010 is old, often targeted, and should absolutely be patched at this point. It cannot be overstated, it is necessary to keep all systems and software up to date.
- Given the prevalent malicious use of macros, unless absolutely necessary, disable all MS Office macros. If for some reason macros are needed, have it approved by IT Security on a case-by-case basis.
- The most common attack vector is and has been email campaigns containing malicious links and docs with macros. Employees should be given email safety and phishing detection training at regular intervals.
- Ransomware attacks have been on the rise and will likely only increase in the future. Thus it is crucial that user data be regularly backed up. If resources permit, have a backup that is stored either completely off site or on a separate network that does not have access to the primary network.
Trickbot’s use of landing via URL redirection, is only the tip of the iceberg. Given the rapid development of Trickbot, we predict that it is going to be a trending threat throughout this year. It’s ability to be incorporated into profitable attack chains and its modular nature makes it both valuable and almost infinitely adaptable. It is highly recommended to implement as many mitigations strategies as possible as the layered security will have the added benefit of improving the company’s overall posture against many other threats.
View this OSINT Threat Report on TruSTAR to correlate IOCs with your own data:
Not on TruSTAR yet? Request a demo, and in the meantime download IOCs via .txt file: