Dissecting the 10k Lines of the new TrickBot Dropper

Pierluigi Paganini September 11, 2019

Malware researchers at Yoroi-Cybaze analyzed the TrickBot dropper, a threat that has infected victims since 2016.

Introduction

TrickBot it is one of the best known Banking Trojan which has been infecting victims since 2016, it is considered a cyber-crime tool. But nowadays defining it a “Banking Trojan” is quite reductive: during the last years its modularity brought the malware to a higher level. In fact it can be considered a sort of malicious implant able to not only commit bank-related crimes, but also providing tools and mechanism for advanced attackers to penetrate within company networks. For instance, it has been used by several gangs to inoculate Ryuk ransomware within the core servers infrastructure, leading to severe outages and business interruption (e.g. the Bonfiglioli case).

In this report, we analyzed one of the recently weaponized Word documents spread by TrickBot operators all around the globe. Revealing an interesting dropper composed by several thousand highly obfuscated Lines of Code and abusing the so-called ADS (Alternate Data Stream).

Technical Analysis

Hash07ba828eb42cfd83ea3667a5eac8f04b6d88c66e6473bcf1dba3c8bb13ad17d6
ThreatDropper
Brief DescriptionTrickBot document dropper
Ssdeep1536:KakJo2opCGqSW6zY2HRH2bUoHH4OcAPHy7ls4Zk+Q7PhLQOmB:3oo2hNx2Z2b9nJcAa7lsmg5LQOmB

Table 1. Sample’s information

Once opened, the analyzed Word document reveals its nature through an initial, trivial, trick. The attacker simply used a white font to hide the malicious content from the unaware user (and from the endpoint agents). Just changing the font foreground color unveils some dense JavaScript code. This is code will be executed in the next stages of the infection chain, but before digging the JavaScript code, we’ll explore the macro code embedded into the malicious document.

Figure 1. Content of Word document
Figure 2. Unveiled content of Word document

The “Document_Open()” function (Figure 3) is automatically executed after the opening of the Word document. It retrieves the hidden document content through the “Print #StarOk, ActiveDocument.Content.Text” statement and writes a copy of it into the “%AppData%\Microsoft\Word\STARTUP\stati_stic.inf:com1” local file

Figure 3. Macro code embedded in the malicious document

Exploring the folder “\Word\STARTUP” we noticed the “stati_stic.inf” file counts zero bytes. Actually, the dropper abused an old Windows File System feature, known as “Alternate Data Stream” (ADS), to hide its functional data in an unconventional stream. A known techniques, T1096 on Mitre Att&ck framework, can be simply used by concatenating the colon operator and the stream name to the filename during any writing or reading operation. So, we extracted the content of the stream through a simple Powershell command.

Figure 4. Use of Alternate Data Stream to hide the payload

The extracted payload is the initial Word document hidden content. The malicious control flow resumes with the “Document_Close()” function, in which the “StripAllHidden()” function is invoked. This routine deletes all the hidden information embedded into the document by the attacker, probably with the intent to hide any traces unintentionally embedded during the development phase. Its code has probably been borrowed from some public snippets such as the one included at the link

After that, the macro code executes the data just written into the “com1” data stream. Since the stream contains JavaScript code, it will be executed through WScript utility using the following instructions:

  1. CallByName CreateObject(“wS” & Chri & “Ript.She” & Ja), “Run”, VbMethod, Right(Right(“WhiteGunPower”, 8), Rule) & “sHe” & Ja & ” wS” & Chri & “RipT” & GroundOn, 0

Which, after a little cleanup, becomes:

  1. CallByName CreateObject(“wScript.Shell”), “Run”, VbMethod, “powershell wscript /e:jscript “c:\users\admin\appdata\roaming\microsoft\word\startup\stati_stic.inf:com1””, 0

The JavaScript Dropper

Now, let’s take a look at the JavaScript code. It is heavily obfuscated and uses randomization techniques to rename variable names and some comments, along with chunks of junk instructions resulting in a potentially low detection rate.

Figure 5. Example of the sample detection rate

At first glance, the attacker purpose seems fulfilled. The script is not easily readable and appears extremely complex: almost 10 thousand lines of code and over 1800 anonymous function declared in the code.

Figure 6. Content of the JavaScript file

But after a deeper look, two key functions, named “jnabron00” and “jnabron”, emerge. These functions are used to obfuscated every comprehensible character of the script. The first one, “jnabron00”, is illustrated in the following figure: it returns always zero value.   

Figure 7. Function used to obfuscate the code

The other one, “jnabron”, is invoked with two parameters: an integer value (derived from some obfuscated operations) and a string which is always “Ch”.

  1. jnabron(102, ‘Ch’)

The purpose of this function is now easy to understand: it returns the ASCII character associated with the integer value through the “String.fromCharCode” JS function. Obviously, once again, to obfuscate the function internals the attacker included many junk instructions, as reported in Figure 9.

Figure 8. Another function used to obfuscate the code

Using a combination of the two functions, the script unpack its real instructions, causing a tedious work to the analyst who has to understand the malicious intents of the script. As shown in the following figure, tens of code lines result in a single instruction containing the real value will be included in the final script.

Figure 9. Example of de-obfuscation process

After a de-obfuscation phase, some useful values are visible, such as the C2 address, the execution of a POST request, and the presence of Base64-encoded data.

Figure 10. C2 checkin code

Analyzing this hidden control flow we discover the first action to be performed is the gathering of particular system information.  This is done through the WMI interface, specifying a particular WQL query and invoking the “ExecQuery” function to retrieve:

  • Info about Operating System
  • Info about machine
  • Info about current user
  • List of all active processes
Figure 11. Code used to extract information about system

These information are then sent to the command and control server during the check-in phase of the Javascript loader, along with the list of running processes.

Figure 12. Network traffic

Moreover, the script is able to gather a list of all files which have one of the extensions chosen by the attacker: PDF files, Office, Word and Excel documents. The result of this search is then written on a local file into the “%TEMP%” folder, and later uploaded to the attacker infrastructure.

Figure 13. Code to extract absolute paths from specific file types

Conclusion

TrickBot is one of the most active Banking Trojan today, it is considered to be part of Cyber Crime arsenal and it is still under development. The malware, first appeared in 2016, during the last years adds functionalities and exploit capabilities such as  the infamous SMB Vulnerability (MS17-010) including EthernalBlueEthernalRomance or EthernalChampion.

The analyzed dropper contains a highly obfuscated JavaScript code counting about 10 thousand Lines of Code. This new infection chain structure represents an increased threat to companies and users, it can achieve low detection rates enabling the unnoticed delivery of TrickBot payload, which can be really dangerous for its victims: just a few days, or even a few hours in some cases, of active infection could be enough to propagate advanced ransomware attacks all across the company IT infrastructure. 

Technical details, including IoCs and Yara Rules, are available in the analysis published the Yoroi blog.

https://blog.yoroi.company/research/dissecting-the-10k-lines-of-the-new-trickbot-dropper/

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Trickbot, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment