{"id":8530,"date":"2017-08-01T12:10:01","date_gmt":"2017-08-01T20:10:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/01\/news-2304\/"},"modified":"2017-08-01T12:10:01","modified_gmt":"2017-08-01T20:10:01","slug":"news-2304","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/08\/01\/news-2304\/","title":{"rendered":"TrickBot comes with new tricks &#8211; attacking Outlook and browsing data"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Tue, 01 Aug 2017 19:10:43 +0000<\/strong><\/p>\n<p>Last year we reported about a new modular malware using a network protocol similar to Dyreza &#8211; you can read about it <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/10\/trick-bot-dyrezas-successor\/\" target=\"_blank\" rel=\"noopener\">here<\/a>. The malware was not very stealthy and some parts were looking to be under development, but we noticed it&#8217;s potential and capability to be easily extended. Indeed, authors of TrickBot are persistent not only in spreading their product but also in developing new features.<\/p>\n<p>Some of the novel changes have been noted in the report of <em>Security Art Work<\/em> (available <a href=\"https:\/\/www.securityartwork.es\/wp-content\/uploads\/2017\/07\/Trickbot-report-S2-Grupo.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>).<\/p>\n<p>In addition, it has been found, that developers <a href=\"https:\/\/www.flashpoint-intel.com\/blog\/new-version-trickbot-adds-worm-propagation-module\/\" target=\"_blank\" rel=\"noopener\">added to the bot a worm module<\/a> &#8211; probably inspired by the success of worm-equipped ransomware (<a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/05\/the-worm-that-spreads-wanacrypt0r\/\" target=\"_blank\" rel=\"noopener\">WannaCry<\/a>, <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/06\/petya-esque-ransomware-is-spreading-across-the-world\/\" target=\"_blank\" rel=\"noopener\">EternalPetya<\/a>).<\/p>\n<p>But authors of the malware didn&#8217;t stop on this &#8211; recently we captured some additions &#8211; for example, the one called Outlook.dll. While most of the modules are written in C++, this one is written in Delphi. It may indicate that the team of developers gained some new members that are more comfortable with this particular language.<\/p>\n<h3>Analyzed samples<\/h3>\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/2ebeef906142f328168e7e62e8be7fbaee48e3521853d76ea778005ada6e938a\/analysis\/\" target=\"_blank\" rel=\"noopener\">9aac1e00d62e0b4049781cc5eff99bc7<\/a> &#8211; main sample (packed)\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/e0984a83a5acb8a382d64bc517ae94edc3e5a092d2466dd15fe3b5220f9c8c5d\/analysis\/1501506937\/\" target=\"_blank\" rel=\"noopener\">9b3659936354dceb1063a42f15d0f12a<\/a> &#8211; main sample (unpacked)\n<ul>\n<li><strong><a href=\"https:\/\/virustotal.com\/en\/file\/b4e66c3753762854d867aa7d91597ab1c500b3f527cb80e7dc48210e6c801bc1\/analysis\/1501507220\/\" target=\"_blank\" rel=\"noopener\">60bd4480035e82393636b0fb60d351ba<\/a> &#8211; bot 32 bit<\/strong><\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/2d5255011d426bacd21753c2009cca3e57f1bd2db9a715ab96776f2c591fa2b0\/analysis\/1501507389\/\" target=\"_blank\" rel=\"noopener\">ba36cf1afb6b6eed38b0a8d54152335b<\/a> &#8211; bot64 bit<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/9c5eb3b9814cfdbab0f3f96dae5e36cc256af7a119f7c9817a731be4f54f34e9\/analysis\/\" target=\"_blank\" rel=\"noopener\">74933912ad87ec0b3a1b570a0ea0832b<\/a> &#8211; loader for 64 bit<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Downloaded modules (32 bit):<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/virustotal.com\/en\/file\/d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e\/analysis\/\" target=\"_blank\" rel=\"noopener\">b6f9ba3fd8af478147c59b2f3b3043c7<\/a> &#8211; OutlookX32.dll<\/strong><\/li>\n<li><strong><a href=\"https:\/\/virustotal.com\/en\/file\/5f13e8151fa80d8a85b4831fe79ec719b0c4e76693b8f7ca390e48b4abc9b179\/analysis\/1501507903\/\" target=\"_blank\" rel=\"noopener\">ac32c723c94e2c311db78fb798f2dd63<\/a> &#8211; module.dll (importDll32)<\/strong><\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/df9b37477a83189cd4541674e64ce29bf7bf98338ed0d635276660e0c6419d09\/analysis\/\" target=\"_blank\" rel=\"noopener\">f8e58af3ffefd4037fef246e93a55dc8<\/a> &#8211; mailsearcher.dll (mailsearcher32)<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/7598c98926dd870969c80036f9a9584d1dbc7b81fae61018a6d34a2de640b870\/analysis\/1501507907\/\" target=\"_blank\" rel=\"noopener\">25570c3d943c0d83d69b12bc8df29b9d<\/a> &#8211; SystemInfo.dll (systeminfo32)<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/c7553b1f5a178c8ef8863045e8c0c0f2e89f4affde89c3ac3b62c663446c5089\/analysis\/\" target=\"_blank\" rel=\"noopener\">5ac93850e24e7f0be3831f1a7c463e9c<\/a> &#8211; loader.dll (injectDll32), reflectively loads submodules:\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/16a7b338e48b6d99c9afe57a72b898411eda586647b25ad6709735807c966fb2\/analysis\/1501512045\/\" target=\"_blank\" rel=\"noopener\">69086a1e935446067ecb1d20bfa99266<\/a> &#8211; core-dll.dll<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/0e0d9bce079aaba3c29b049678981eb28e05744d28ce94c41612ce67f19cc9dc\/analysis\/1501512035\/\" target=\"_blank\" rel=\"noopener\">b34d36c1c76b08e7b8f28d74fbf808d8<\/a> &#8211; rtbroker_dll.dll<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Behavioral analysis<\/h3>\n<p>As before, after being run TrickBot installs itself in a new directory, created in %APPDATA%. It run a new instance from the installation directory.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19073\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/main_folder.png\" alt=\"\" width=\"606\" height=\"204\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/main_folder.png 606w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/main_folder-300x101.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/main_folder-600x202.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/main_folder-604x204.png 604w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><\/p>\n<p>Inside this directory, it creates a new directory <em>Modules<\/em>, where it drops downloaded modules and their configuration files in encrypted form:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19074\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/modules.png\" alt=\"\" width=\"512\" height=\"254\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/modules.png 512w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/modules-300x149.png 300w\" sizes=\"auto, (max-width: 512px) 100vw, 512px\" \/><\/p>\n<p>The way in which the modules and configuration files are encrypted didn&#8217;t change &#8211; still, we can use <a href=\"https:\/\/github.com\/hasherezade\/malware_analysis\/tree\/master\/trickbot\" target=\"_blank\" rel=\"noopener\">the same scripts<\/a> to recover them.<\/p>\n<p>After decrypting <em>config.conf<\/em> we got some more details about the current campaign &#8211; the version of the analyzed configuration is <strong>1000030<\/strong> and the given group tag is <strong>tt0002<\/strong>. Fragment:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19075\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/config_fragment.png\" alt=\"\" width=\"228\" height=\"66\" \/><\/p>\n<p>As before, the persistence is achieved with the help of Scheduled Task:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19090\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/persistence.png\" alt=\"\" width=\"749\" height=\"207\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/persistence.png 749w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/persistence-300x83.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/persistence-600x166.png 600w\" sizes=\"auto, (max-width: 749px) 100vw, 749px\" \/><\/p>\n<p>After being run, the main bot decrypts and loads all the stored modules. Each module runs injected into a new instance of <em>svchost<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19089\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/injected.png\" alt=\"\" width=\"694\" height=\"97\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/injected.png 694w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/injected-300x42.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/injected-600x84.png 600w\" sizes=\"auto, (max-width: 694px) 100vw, 694px\" \/><\/p>\n<h3>Inside<\/h3>\n<p>As before, all the TrickBot modules follow a predefined API. They export following functions:<\/p>\n<ul>\n<li>Control<\/li>\n<li>FreeBuffer<\/li>\n<li>Release<\/li>\n<li>Start<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19067\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/module_exp.png\" alt=\"\" width=\"454\" height=\"317\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/module_exp.png 454w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/module_exp-300x209.png 300w\" sizes=\"auto, (max-width: 454px) 100vw, 454px\" \/><\/p>\n<p>As mentioned in the section &#8220;behavioral analysis&#8221;, in the current run we observed 5 modules. <em>SystemInfo.dll<\/em> and <em>loader.dll (injectDll32)<\/em> are present in the TrickBot <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/10\/trick-bot-dyrezas-successor\/\" target=\"_blank\" rel=\"noopener\">since the very beginning<\/a>. The module <em>mailsearcher.dll<\/em> has been introduced in December 2016 and <a href=\"https:\/\/devcentral.f5.com\/articles\/is-xmaker-the-new-trickloader-24372\" target=\"_blank\" rel=\"noopener\">described in the DevCentral&#8217;s article<\/a>. But there are some modules in the set, that we haven&#8217;t seen described before: <em>module.dll<\/em> and <em>Outlook.dll<\/em>.<\/p>\n<h3>module.dll\/importDll32<\/h3>\n<h4>Overview<\/h4>\n<p>This bulky module is written in C++, compiled with Qt5, OpenSSL and also incorporates SQLite. Inside the binary we can find the strings indicating particular versions of the libraries:<\/p>\n<ul>\n<li>Qt 5.6.2 (i386-little_endian-ilp32 static release build; by GCC 6.2.0)<\/li>\n<li>OpenSSL 1.0.2k 26 Jan 2017<\/li>\n<li>2017-02-13 16:02:40 ada05cfa86ad7f5645450ac7a2a21c9aa6e57d2 (<a href=\"https:\/\/www.sqlite.org\/releaselog\/3_17_0.html\" target=\"_blank\" rel=\"noopener\">SQLite<\/a>)<\/li>\n<\/ul>\n<p>We can also find references in the code &#8211; in the given example <a href=\"http:\/\/doc.qt.io\/qt-5\/qabstractsocket.html\" target=\"_blank\" rel=\"noopener\">QAbstractSocket class<\/a> from Qt library is used:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19077\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/qt_refs.png\" alt=\"\" width=\"505\" height=\"400\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/qt_refs.png 505w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/qt_refs-300x238.png 300w\" sizes=\"auto, (max-width: 505px) 100vw, 505px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19091\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/qsocket_err-1.png\" alt=\"\" width=\"748\" height=\"133\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/qsocket_err-1.png 748w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/qsocket_err-1-300x53.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/qsocket_err-1-600x107.png 600w\" sizes=\"auto, (max-width: 748px) 100vw, 748px\" \/><\/p>\n<p>Module&#8217;s compilation timestamp indicates that it is pretty fresh, written in May of this year:<\/p>\n<pre>2017:05:27 14:27:06+01:00<\/pre>\n<p>Functionality-wise, the modules are focused on stealing data from the browsers, such as:<\/p>\n<ul>\n<li>Cookies<\/li>\n<li>HTML5 Local Storage<\/li>\n<li>Browsing History<\/li>\n<li>Flash LSO (Local Shared Objects)<\/li>\n<li>URL hits<\/li>\n<\/ul>\n<p>&#8230;and more.<\/p>\n<p>Authors of the module didn&#8217;t put any effort to hide their intentions and debug strings about every attempt aare being printed Examples:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19114\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/debug_info.png\" alt=\"\" width=\"836\" height=\"617\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/debug_info.png 836w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/debug_info-300x221.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/debug_info-600x443.png 600w\" sizes=\"auto, (max-width: 836px) 100vw, 836px\" \/><\/p>\n<p>Grabbing URL hits:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19126\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/url_hits.png\" alt=\"\" width=\"568\" height=\"501\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/url_hits.png 568w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/url_hits-300x265.png 300w\" sizes=\"auto, (max-width: 568px) 100vw, 568px\" \/><\/p>\n<p>In contrary to <em>loader.dll<\/em>\/<strong><em>injectDll <\/em><\/strong>(referenced <a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/10\/trick-bot-dyrezas-successor\/\" target=\"_blank\" rel=\"noopener\">here<\/a>) which is modular and stores all the scripts and targets in dedicated configuration files, <em>module.dll<\/em>\/<em><strong>importDll32<\/strong><\/em> comes with all the data hardcoded. For example, it comes with a very long list of searched targets, that are websites from countries all around the world &#8211; France, Italy, Japan, Poland, Norway, Peru and more:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19079\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/targets_world.png\" alt=\"\" width=\"343\" height=\"445\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/targets_world.png 343w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/targets_world-231x300.png 231w\" sizes=\"auto, (max-width: 343px) 100vw, 343px\" \/><\/p>\n<h5>Browser fingerprinting<\/h5>\n<p>During it&#8217;s run the module creates a hidden desktop:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19117\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/make_hidden.png\" alt=\"\" width=\"762\" height=\"364\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/make_hidden.png 762w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/make_hidden-300x143.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/make_hidden-600x287.png 600w\" sizes=\"auto, (max-width: 762px) 100vw, 762px\" \/><\/p>\n<p>This desktop is used as a workspace, where the malicious module can open and fingerprint browsers in a way that is not noticed by the user.<\/p>\n<p>Inside the malware&#8217;s code we can find some hardcoded HTML files with javascripts that are used for gathering information about the browser&#8217;s configuration. For example:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19128\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/gather_data_js1.png\" alt=\"\" width=\"829\" height=\"482\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/gather_data_js1.png 829w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/gather_data_js1-300x174.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/gather_data_js1-600x349.png 600w\" sizes=\"auto, (max-width: 829px) 100vw, 829px\" \/><\/p>\n<p>You can see the full content <a href=\"https:\/\/gist.github.com\/hasherezade\/309d3cbfa7f3cd2115b67beb264d999f#file-fingerprint2-html\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>This script, while being executed fills the text area with the data gathered about the environment, and passes this data to the malware:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19129\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/fingerprint1.png\" alt=\"\" width=\"835\" height=\"385\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/fingerprint1.png 835w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/fingerprint1-300x138.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/fingerprint1-600x277.png 600w\" sizes=\"auto, (max-width: 835px) 100vw, 835px\" \/><\/p>\n<p>Another script is used for gathering information on the plugins installed in InternetExplorer (compare with <a href=\"http:\/\/www.darkwavetech.com\/fingerprint\/fingerprint_plugin.html\" target=\"_blank\" rel=\"noopener\">this script<\/a>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19127\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/plugin_list.png\" alt=\"\" width=\"735\" height=\"529\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/plugin_list.png 735w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/plugin_list-300x216.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/plugin_list-600x432.png 600w\" sizes=\"auto, (max-width: 735px) 100vw, 735px\" \/><\/p>\n<p>You can see the full content <a href=\"https:\/\/gist.github.com\/hasherezade\/309d3cbfa7f3cd2115b67beb264d999f#file-fingerprint1-html\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>The scripts send the collected data in the POST request in the variable called <em>marker_<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19133\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/sending_data.png\" alt=\"\" width=\"536\" height=\"170\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/sending_data.png 536w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/sending_data-300x95.png 300w\" sizes=\"auto, (max-width: 536px) 100vw, 536px\" \/><\/p>\n<p>The data is received by the handler inside the TrickBot module:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19135\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/marker.png\" alt=\"\" width=\"558\" height=\"412\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/marker.png 558w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/marker-300x222.png 300w\" sizes=\"auto, (max-width: 558px) 100vw, 558px\" \/><\/p>\n<p>Interestingly, the malicious plugin contains also 4 base64 encoded pictures in PNG format:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19080\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/picture.png\" alt=\"\" width=\"822\" height=\"154\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/picture.png 822w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/picture-300x56.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/picture-600x112.png 600w\" sizes=\"auto, (max-width: 822px) 100vw, 822px\" \/><\/p>\n<p>Decoded pictures:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19119\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/bx1.png\" alt=\"\" width=\"32\" height=\"29\" \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19120\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/bx2.png\" alt=\"\" width=\"16\" height=\"16\" \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19121\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/bx3.png\" alt=\"\" width=\"32\" height=\"32\" \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19122\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/bx4.png\" alt=\"\" width=\"16\" height=\"16\" \/><\/p>\n<h5>The SQL part<\/h5>\n<p>Among the data hardcoded within the <em>module.dll<\/em> we can find a string referencing an <a href=\"https:\/\/www.sqlite.org\/releaselog\/3_17_0.html\" target=\"_blank\" rel=\"noopener\">SQLite release<\/a>:<\/p>\n<pre>2017-02-13 16:02:40 ada05cfa86ad7f5645450ac7a2a21c9aa6e57d2  <\/pre>\n<p>The incorporated SQLite is used to retrieve and steal from locally stored databases, for example cookies (similarly to Terdot Zbot, described <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/01\/zbot-with-legitimate-applications-on-board\/\" target=\"_blank\" rel=\"noopener\">here<\/a>, that also incorporated SQLite for this purpose):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19082\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/open_cookies.png\" alt=\"\" width=\"724\" height=\"185\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/open_cookies.png 724w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/open_cookies-300x77.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/open_cookies-600x153.png 600w\" sizes=\"auto, (max-width: 724px) 100vw, 724px\" \/><\/p>\n<p>Sample strings and queries to the cookies database:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19081\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/steal_cookies.png\" alt=\"\" width=\"822\" height=\"282\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/steal_cookies.png 822w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/steal_cookies-300x103.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/steal_cookies-600x206.png 600w\" sizes=\"auto, (max-width: 822px) 100vw, 822px\" \/><\/p>\n<p>We can see also queries used for stealing the stored browsing history:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19131\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/stealing_history.png\" alt=\"\" width=\"680\" height=\"111\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/stealing_history.png 680w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/stealing_history-300x49.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/stealing_history-600x98.png 600w\" sizes=\"auto, (max-width: 680px) 100vw, 680px\" \/><\/p>\n<h3>outlook.dll<\/h3>\n<p>This is the module written in Delphi. It contans a hardcoded configuration that follows a pattern typical for TrickBot modules:<\/p>\n<pre>&lt;moduleconfig&gt;   &lt;autostart&gt;no&lt;\/autostart&gt;  &lt;\/moduleconfig&gt;  <\/pre>\n<p>It&#8217;s purpose it to steal data saved by Microsoft Outlook.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19084\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/fetch_and_send.png\" alt=\"\" width=\"898\" height=\"377\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/fetch_and_send.png 898w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/fetch_and_send-300x126.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/fetch_and_send-600x252.png 600w\" sizes=\"auto, (max-width: 898px) 100vw, 898px\" \/><\/p>\n<p>The module opens relevant registry keys, and tries to retrieve saved credentials:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-19083\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/outlook_reg_data.png\" alt=\"\" width=\"523\" height=\"546\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/outlook_reg_data.png 523w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/outlook_reg_data-287x300.png 287w\" sizes=\"auto, (max-width: 523px) 100vw, 523px\" \/><\/p>\n<h3>Conclusion<\/h3>\n<p>TrickBot&#8217;s new modules are not written very well and they are probably still under development. The overall quality of the design is much lower than the quality of the earlier code. For example, <em>module.dll<\/em> is bulky and does not follow the clean modular structure introduced by TrickBot before. Also, they make use of languages and libraries that are easier &#8211; Qt instead of native sockets for <em>module.dll<\/em>, Delphi language for <em>Outlook.dll<\/em>. Those changes may indicate some changes in the development team &#8211; either they gained new members that has been delegated to the new tasks or some of the previous members resigned and has been substituted by lower quality programmers. It may also be possible, that they are doing some prototyping and experiments for the further development.<\/p>\n<p>Anyways, as we can see, TrickBot is still actively maintained and it is not going to leave the landscape any soon.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data\/\">TrickBot comes with new tricks &#8211; attacking Outlook and browsing data<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Tue, 01 Aug 2017 19:10:43 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data\/' title='TrickBot comes with new tricks - attacking Outlook and browsing data'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/shutterstock_377726422.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>TrickBot is still actively maintained and it is not going to leave the landscape any soon. Take a look at its new modules.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/dyreza\/\" rel=\"tag\">dyreza<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/eternalpetya\/\" rel=\"tag\">EternalPetya<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/outlook\/\" rel=\"tag\">Outlook<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware\/\" rel=\"tag\">ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/trickbot\/\" rel=\"tag\">trickbot<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/wannacry\/\" rel=\"tag\">WannaCry<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data\/' title='TrickBot comes with new tricks - attacking Outlook and browsing data'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data\/\">TrickBot comes with new tricks &#8211; attacking Outlook and browsing data<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[13254,12849,3764,13255,3765,10494,13256,12252],"class_list":["post-8530","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-dyreza","tag-eternalpetya","tag-malware","tag-outlook","tag-ransomware","tag-threat-analysis","tag-trickbot","tag-wannacry"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8530"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8530\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}