Blog

Archive for March 17th, 2020

Trickbot gtag red5 distributed as a DLL file, (Wed, Mar 18th)

Introduction

Trickbot is an information stealer/banking malware that uses modules to perform different functions.  With Windows 10, these modules are loaded into memory, and we only see initial Trickbot binary and a text-based configuration file stored on the infected Windows 10 host.

Access to Trickbot-infected hosts is granted to other criminals groups to distribute other malware like Ryuk ransomware.  This sort of follow-up malware has previously been noted in conjunction with Powershell Empire traffic and/or Cobalt Strike activity on a Trickbot-infected host.

But today’s diary focuses on one of the distribution methods for the initial Trickbot infection.

Last month on 2020-02-25, I ran across an example of Trickbot (gtag red4) distributed as a Windows DLL file.  Normally, I see Trickbot distributed as an Windows EXE.  2020-02-25 was the first time I personally saw Trickbot distributed and made persistent as a DLL.

On Tuesday 2020-03-17, I ran across another example of Trickbot as a DLL.  This time, it was gtag red5, and I’ve documented the occasion in today’s ISC diary.

Of note, a Trickbot sample’s “gtag” indicates its specific method of distribution.  The “red” series gtag has been noted with Trickbot as a DLL file distributed using a JSE downloader.  The image below shows a flow chart for my infection on Tuesday 2020-03-17.


Shown above:  Flow chart for this specific gtag red5 Trickbot infection chain.

Images from the infection


Shown above:  Screenshot of the Word document that kicked off this Trickbot infection.


Shown above:  Enabling macros caused the Word document to save a copy of itself.


Shown above: Meanwhile, I found a JSE file that acted as a malware loader in a newly-created directory named C:netstats.


Shown above:  The JSE-based loader PressTableList.jse appears to be highly-obfuscated.


Shown above:  HTTPS/SSL/TLS traffic generated by PressTableList.jse filtered in Wireshark.


Shown above:  Certificate issuer data from HTTPS/SSL/TLS traffic caused by PressTableList.jse.


Shown above:  About 1 hour after the initial infection, I saw signs of a Trickbot infection.


Shown above:  Shortly before the Trickbot traffic, I found evidence of a Trickbot binary saved to the infected Windows host.


Shown above:  The scheduled task to keep Trickbot persistent indicates this Trickbot binary is a DLL.


Shown above:  More Trickbot traffic, including HTTP requests over TCP port 8082 that reveal this Trickbot is gtag red5.


Shown above:  HTTP requests ending in .png that returned follow-up Trickbot binaries (these were EXE files, not DLL or PNG).

Indicators of Compromise (IoCs)

Traffic from an infected Windows host:

JSE loader traffic:

  • 185.216.35[.]10 port 443 – HTTPS/SSL/TLS traffic

Trickbot infection traffic:

  • port 80 – api.ipify[.]org – GET / [ip address check by the infected host, not inherently malicious]
  • 51.254.164[.]245 port 443 – HTTPS/SSL/TLS traffic
  • 146.185.253[.]176 port 447 – HTTPS/SSL/TLS traffic
  • 181.129.104[.]139 port 449 – HTTPS/SSL/TLS traffic
  • 46.4.167[.]250 port 447 – attempted TCP connections but no response from the server
  • 64.44.51[.]113 port 447 – attempted TCP connections but no response from the server
  • 203.176.135[.]102 port 8082 – 203.176.135[.]102:8082 – POST /red5/[host name]_[windows version].[32-digit hex string in ASCII]/90
  • 203.176.135[.]102 port 8082 – 203.176.135[.]102:8082 – POST /red5/[host name]_[windows version].[32-digit hex string in ASCII]/81/
  • 51.89.115[.]101 port 80 – 51.89.115[.]101 – GET /images/cursor.png
  • 51.89.115[.]101 port 80 – 51.89.115[.]101 – GET /images/imgpaper.png

Malware/artifacts from an infected Windows host

SHA256 hash: 08b885ccc3eda61a918bd1887b7669e54d03be79a3accae765c10cd0850ff10d

  • File size: 270,883 bytes
  • File name: Info_17033267714.doc
  • File description: Word doc with macro for JSE downloader

SHA256 hash: c0fe570561cc3546ed7e03523baf5e482ec9ee98e6a8de161fdc885f6721f0a0

  • File size: 49 bytes
  • File location: C:netstatsPressTableList.cmd
  • File description: CMD script to run PressTableList.jse
  • File content: cscript //nologo c:netstatsPressTableList.jse
  • Note: Not malicious by itself

SHA256 hash: 36ef77fe7b4a27813c8149674565f60aceb2fa9510e04732ef53367ce3dc567a

  • File size: 356,006 bytes
  • File location: C:netstatsPressTableList.jse
  • File description: JSE-style malware downloader

SHA256 hash: 445716d2fdd0cc8927c02bda53f44cba82f3a934d1a6cb9163760544b3e515e9

  • File size: 636,416 bytes
  • File location: C:Users[username]AppDataLocalTempd26db78fApo6057.pif
  • File location: C:Users[username]AppDataRoamingElAtsrzd26db78fApo6057nn.vgy
  • File description: DLL file retrieved by JSE-style downloader, this is Trickbot gtag red5

SHA256 hash: 262cf3e4da865ff7b028d2f1be407d1d37008644ee89c3e16f4b873e6cde344c

  • File size: 20,541 bytes
  • File location: C:Users[username]AppDataRoamingElAtssettings.ini
  • File description: Configuration/settings file used by Trickbot, different file hash and content for each infection. This is not inherently malicious on its own.

SHA256 hash: efb75ce7030fc32190909048fcb3fab024cb8779b9559a417b8d397352ae6ea2

  • File size: 696,371 bytes
  • File location: hxxp://51.89.115[.]101/images/cursor.png
  • File description: Follow-up Trickbot EXE (gtag: tot698) returned from URL ending in .png

SHA256 hash: 3850e5731f9f1430eafd477b5e0607aad48f80bb28e32d163b941414db7f1695

  • File size: 696,371 bytes
  • File location: hxxp://51.89.115[.]101/images/imgpaper.png
  • File description: Follow-up Trickbot EXE (gtag: lib698) returned from URL ending in .png

Final words

A pcap of the infection traffic along with the associated malware can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

A Quick Summary of Current Reflective DNS DDoS Attacks, (Tue, Mar 17th)

DNS is still a popular protocol to amplify denial of service attacks. A rather small DNS query, sent to an open recursive resolver, can be used to trigger a large response. Over the last few years, DNS servers implemented many countermeasures to make it more difficult to launch these attacks and easier to mitigate them. It also has become easier (but not trivial) to defend against these attacks. But in the end, you still have to “buy your way out” of a denial of service attacks. For smaller organizations, even an average attack can be devastating.

One of our large honeypots acts as an open resolver (with some rate limiting and other precautions to make them less effective as an amplifier). I collected data these last two weeks to see what targets are being attacked and which DNS records are used in these attacks.

The top two records (by a far distance) for DNS amplification these two weeks have been “access-board.gov” and the name servers for the root zone (“Root Hints”). .gov domains are very popular for two reasons: First of all, .gov supports DNSSEC, and with that responses tend to be larger. With DNSSEC also comes EDNS0 support, which allows for responses via UDP exceeding 512 bytes. These large responses may be fragmented and more difficult to block. Secondly, “.gov” is often considered trusted or even essential and not blocked as a result.

This chart of the top 4 domains used shows how the “access-board.gov” and “root” queries dominated the traffic

The access-board.gov ANY record is 2020 bytes long. It includes only one ‘A’ record. The remaining data is DNSSEC keys and signatures. Worse are domains like “peacecorp.gov”. “peacecorp.gov” is also often used in DDoS attacks. the “ANY” record for peacecorps.gov is 3629 bytes long due to a number of TXT records that are included.

The Root NS record is not quite as long. But Windows DNS servers will respond to it by default which provides for a large set of possible reflectors. A short query (about 20 bytes) will result in 823 byte responses.

But who are the targets of these attacks? During these 2 weeks, we did see 368 targets. The top targets are IRC server. I guess some things never change, and IRC servers are still at the top of the DDoS list. What is probably more notable: The list is missing “household names” and appears more or less random. These attacks hit small businesses and home systems, not large banks and other “well known” services. Part of this is likely due to the fact that these larger companies have defenses in place to counter simple reflective DNS DDoS attacks. Smaller businesses are missing these defenses and are more vulnerable. 

The top 10 victims (“Shared” means the server hosted multiple domains. “unknown” for servers that I couldn’t reach (maybe as a result of the attacks) or a server where I couldn’t figure out the purpose)


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →