TrickBot Attack Chain: Deconstructed & Mitigated | BeyondTrust

TrickBot Attack Chain: Deconstructed & Mitigated | BeyondTrust

The early versions of TrickBot were technically effective, however, limited in attack scope as they only focused on a subset of regional banks in the US. As with most banking trojans, TrickBot maintains a list of target websites, which it intercepts and manipulates to capture information and misdirect transactions.

Over time, the TrickBot malware has continued to evolve to target an ever-changing list of online banks. The malware has also incorporated new functionalities, including:

TrickBot has not only become a highly capable banking trojan, but thanks to its stealthy modular components, it is also being used for active reconnaissance, data exfiltration, lateral movement, and ransomware delivery. This represents part of a growing trend towards threat actors establishing widespread compromise of a network, then selling the backdoor access to the highest bidder.

By default, these registry entries do not exist however they are in a user writable part of the registry. This means that Trickbot can write a command to launch itself into these registry entries. Then TrickbBot launches Fodhelper.exe which as an approved Microsoft application is elevates to run with a high level of privilege without triggering a UAC prompt for the end user, this, in turn, executes the command in the registry entry launching Trickbot with the same level of privilege without alerting the user.

Once Trickbot has gained elevation via a UAC bypass it now has the administrator privileges required to make significant changed to the system. It uses these to great effect by disabling ITsecurity settings and tools. Let’s have a look at what is does and how it does it.

Technique 3: Disabling Security

MITRE Technique: T1562.001 – Disable or Modify Tools

Since 2019, Trickbot has included capabilities to disable the services and processes associated with common cybersecurity tools such, as AV. This is a fairly common Defense Evasion tactic to reduce the risk of being discovered and to lay the groundwork for future payloads. TrickBot’s primary target is Windows Defender and many of the native protections that it enables for the Windows operating system.

Using a combination of registry entries and PowerShell commands TrickBot will attempt to disable many Windows Defender protections including:

Once these controls are disabled, the attacker will be able to further extend their foothold on the system and introduce new payloads, without risk of detection.

TrickBot also uses the Image File Execution Options registry key to attach a fake debugger to a number of AV and IT security tools. When Windows attempts to launch the security tool, the fake debugger application will be launched first, as it is fake and does not exist, the security tool will fail to launch. This is an elegant way to disable security tools, without having to uninstall or remove them.

At this point, TrickBot has gained initial access and execution on the system.Then it has performed privilege escalation via a UAC bypass and defensive evasion by disabling security controls and tools. Now, the malware effectively owns the system and can launch one of its many modules to steal data, harvest credentials, inject malicious code into banking websites, launch a ransomware payload, etc.

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.