TrickBot and Zeus – Kryptos Logic

TrickBot and Zeus - Kryptos Logic

TrickBot is an established and widespread multi-purpose trojan. Active since 2016 and modular in nature, it can accomplish a variety of goals ranging from credential theft to lateral movement. Many of the malware’s capabilities come as self-contained modules, which the malware is instructed to download from the C2. Initially, TrickBot’s main focus was bank fraud, but this later shifted toward corporate targetted ransomware attacks, eventually resulting in the discontinuation of their fraud operation.

In June 2021, Kryptos Logic Threat Intelligence team began observing new developments to the TrickBot webinject module. TrickBot’s webinject module supports both static and dynamic configuration for injects. The static inject type causes the victim to be redirected to an attacker-controlled replica of the intended destination site, where credentials can then be harvested. The dynamic inject type transparently forwards the server response to the TrickBot C2, where the source is then modified to contain malicious components, before being returned to the victim as though it came from the legitimate site. In the current iteration of the webinject module, injects are achieved by proxying traffic through a local SOCKS server, if the traffic matches a list of target URLs the traffic is modified accordingly.

Through our monitoring, we were able to obtain a debug version of the module, which contained new features being tested. In this evolution of their webinject capabilities, TrickBot has added support for Zeus-style webinject configs. During development the module was served under a test name and supported parsing configs named zeus. We have since observed the updated module being pushed out to real victims under the name injectDll, superseding their old webinject module. Previously, webinject configs were stored in two files named sinj (static injects) and dinj (dynamic injects). Now, there exists a single config file named winj containing Zeus-style webinjects.

We began observing new changes to their webinject module when we came across a debug build uploaded to 1VirusTotal. This module was different from the previous known webinjects, since it makes reference to a config by the name of winj.

However, we were not able to pull down such a debug build from the C2 servers, since we were not aware of the base name that was given to the module. Base names are the names given to modules by TrickBot, and are used by the main bot to fetch these modules from TrickBot’s plugin servers.

Currently we are seeing the bot pull down the released versions of webinject module as injectDll32 and injectDll64 for the 32-bit and 64-bit module respectively.

An example for a module request made by the main bot is as follows:
https://<c2_address>/<gtag>/<unique_bot_id>/5/injectDll64/

In this blog we will not go into detail on how the main bot communicates to its C2, since it has already been covered2.

winj Config

In this module we see the introduction of Zeus webinject configs, in addition to the regular webinject configs that TrickBot previously used. A good description on how the webinject config works can be found in its leaked manual3.

Due to Zeus having been the gold standard for banking malware, Zeus-style webinjects are extremely popular. It is not uncommon for other malware families to support Zeus-style webinject syntax for cross-compatibility (4Zloader, 5Citadel, to name a few).

In the debug version, the module referred to this new config simply as zeus; however in the release version this has been renamed to winj. As with the previous webinjects, the module is able to parse the usual webinject configs dinj and sinj. Additionally, they continue to use the dpost configs in order to send the results of the webjects to the handler C2s.

Example winj:

As previously reported6, the module shares substantial code with IcedID/Bokbot’s Man-in-the-Browser webinject module. To MitM TLS connections, it creates a self-signed TLS certificate and adds it to the certificate store. The module contains a packed payload that is injected into the victim’s browser, where it hooks socket APIs to redirect traffic to a locally listening SOCKS proxy, it also hooks CertVerifyCertificateChainPolicy and CertGetCertificateChain to ensure no certificate errors are shown to the victim.

The resumption of development of the webinject module indicates that TrickBot intends to revive its bank fraud operation, which appears to have been shelved for over a year. The addition of Zeus-style webinjects may suggest expansion of their Malware-as-a-Service platform, enabling users to bring their own webinjects.

SHA256 Module Base Name Description
dd268740958fe3829c927054b900f6287235662cd93c1e91d51c38c44eb2571b n/a 32-bit Webinject Debug Module
3bd5117466a9bcd539a482343957f8c9a74ad2fa0d5da959fcfa0d42beb9133d n/a 64-bit Webinject Debug Module
c79f016996b45cd7cc88aa3ce6c4d1ab247a1d803de4b742f64f3bf1e183ffb0 injectDll32 32-bit Webinject Module
19f4f1ca50b3306c9d953e12e573b1e65670b110b358d0240e55331c7ed0d76f injectDll64 64-bit Webinject Module

YARA

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.