TrickBot is an established and widespread multi-purpose trojan. Active since 2016 and modular in nature, it can accomplish a variety of goals ranging from credential theft to lateral movement. Many of the malware’s capabilities come as self-contained modules, which the malware is instructed to download from the C2. Initially, TrickBot’s main focus was bank fraud, but this later shifted toward corporate targetted ransomware attacks, eventually resulting in the discontinuation of their fraud operation.
In June 2021, Kryptos Logic Threat Intelligence team began observing new developments to the TrickBot webinject module. TrickBot’s webinject module supports both static and dynamic configuration for injects. The static inject type causes the victim to be redirected to an attacker-controlled replica of the intended destination site, where credentials can then be harvested. The dynamic inject type transparently forwards the server response to the TrickBot C2, where the source is then modified to contain malicious components, before being returned to the victim as though it came from the legitimate site. In the current iteration of the webinject module, injects are achieved by proxying traffic through a local SOCKS server, if the traffic matches a list of target URLs the traffic is modified accordingly.
Through our monitoring, we were able to obtain a debug version of the module, which contained new features being tested. In this evolution of their webinject capabilities, TrickBot has added support for Zeus-style webinject configs. During development the module was served under a test name and supported parsing configs named
zeus. We have since observed the updated module being pushed out to real victims under the name
injectDll, superseding their old webinject module. Previously, webinject configs were stored in two files named
sinj (static injects) and
dinj (dynamic injects). Now, there exists a single config file named
winj containing Zeus-style webinjects.
We began observing new changes to their webinject module when we came across a debug build uploaded to 1VirusTotal. This module was different from the previous known webinjects, since it makes reference to a config by the name of
However, we were not able to pull down such a debug build from the C2 servers, since we were not aware of the base name that was given to the module. Base names are the names given to modules by TrickBot, and are used by the main bot to fetch these modules from TrickBot’s plugin servers.
Currently we are seeing the bot pull down the released versions of webinject module as
injectDll64 for the 32-bit and 64-bit module respectively.
An example for a module request made by the main bot is as follows:
In this blog we will not go into detail on how the main bot communicates to its C2, since it has already been covered2.
In this module we see the introduction of Zeus webinject configs, in addition to the regular webinject configs that TrickBot previously used. A good description on how the webinject config works can be found in its leaked manual3.
Due to Zeus having been the gold standard for banking malware, Zeus-style webinjects are extremely popular. It is not uncommon for other malware families to support Zeus-style webinject syntax for cross-compatibility (4Zloader, 5Citadel, to name a few).
In the debug version, the module referred to this new config simply as
zeus; however in the release version this has been renamed to
winj. As with the previous webinjects, the module is able to parse the usual webinject configs
sinj. Additionally, they continue to use the
dpost configs in order to send the results of the webjects to the handler C2s.
As previously reported6, the module shares substantial code with IcedID/Bokbot’s Man-in-the-Browser webinject module. To MitM TLS connections, it creates a self-signed TLS certificate and adds it to the certificate store. The module contains a packed payload that is injected into the victim’s browser, where it hooks socket APIs to redirect traffic to a locally listening SOCKS proxy, it also hooks
CertGetCertificateChain to ensure no certificate errors are shown to the victim.
The resumption of development of the webinject module indicates that TrickBot intends to revive its bank fraud operation, which appears to have been shelved for over a year. The addition of Zeus-style webinjects may suggest expansion of their Malware-as-a-Service platform, enabling users to bring their own webinjects.
|SHA256||Module Base Name||Description|
|dd268740958fe3829c927054b900f6287235662cd93c1e91d51c38c44eb2571b||n/a||32-bit Webinject Debug Module|
|3bd5117466a9bcd539a482343957f8c9a74ad2fa0d5da959fcfa0d42beb9133d||n/a||64-bit Webinject Debug Module|
|c79f016996b45cd7cc88aa3ce6c4d1ab247a1d803de4b742f64f3bf1e183ffb0||injectDll32||32-bit Webinject Module|
|19f4f1ca50b3306c9d953e12e573b1e65670b110b358d0240e55331c7ed0d76f||injectDll64||64-bit Webinject Module|
This content was originally published here.