Criminal gangs are constantly improving their ways of delivering malicious code to victims. The delivery of this code is fundamental in order to subsequently install payloads that maximize the effect of exploitation and allows them to move laterally, and install further crimeware to quickly reap profits such as crypto mining, ransomware, data exfiltration, or even more sophisticated payloads such as banking fraud web injects. The Splunk Threat Research Team (STRT) addressed Trickbot in the July release. Trickbot is a very popular crimeware carrier (Trojan) associated with current campaigns.
Watch the video to understand how STRT has developed TrickBot detections for Splunk by using the Splunk Attack Range to collect the generated logs, and reverse engineering TrickBot examples.
What is a Trickbot?
Trickbot crimeware is a popular crimeware carrier — aka trojan — that has gained popularity in the criminal underground. Dating back to 2016, Trickbot is related to the banking malware DYREZA, which derives from the Zeus trojan. Both are incredibly effective at infecting and propagating botnets — one of the main financial drivers of the cybercriminal underground and the crimeware as a service economy. Initially focused on DDoS and Carding, botnets nowadays are mostly focused on crypto mining and ransomware. These two criminal vectors usually provide quick rewards to groups behind these botnets.
The effectiveness of trickbot crimeware comes basically in its stealthiness and versatility in installing payloads for further lateral movement and post-exploitation profit-driven activities such as cryptocurrency, ransomware, or banking fraud. STRT developed an analytic story targeting Trickbot TTPs. Also, STRT produced a whitepaper where there are further details on Trickbot modules and capabilities including the new Banking Web Injects.
Detects Run Dynamic Link Library 32 child process via Microsoft Office App
Detects the use of Windows Error Manager that creates executable files
Detects the creation of a scheduled task where rundll32.exe is used to execute or spawn another process
Detects PowerShell process injection in some known windows processes
Detects the creation of an executable targeting SMB Share
Detects the creation of a Named Pipe or inter-process communication associated with the execution of Trickbot
Detects the use of a series of net commands for account discovery on the infected machine
Detects Rundll32 with “StartW” parameter
Detects MS Office that executes macro code
Detects Common Cobalt Strike named pipes
Detects Rundll32 with “dllregisterserver” parameter
Detects Security Service termination
Responding to Trickbot with Automated Playbooks
The following community Splunk SOAR playbooks can be used against Trickbot.
This playbook hunts for malware across managed endpoints, disables affected users, shuts down their devices, and blocks files by their hash from further execution via Carbon Black.
This playbook tries to determine if a file is malware and whether or not the file is present on any managed machines. VirusTotal “file reputation” and PAN WildFire “detonate file” are used to determine if a file is malware, and CarbonBlack Response “hunt file” is used to search managed machines for the file. The results of these investigations are summarized in an email to the incident response team.
This playbook detonates a file, and if it determines it is malicious, it blocks the hash from further execution, blocks any IPs it calls out to, hunts across your environment for other instances of the file, terminates any running executions of it, blocks any IPs it has made connections to, and quarantines affected devices.
Why Should You Care About Trickbot?
As one of the most popular crimeware carriers, trickbot is constantly being deployed and updated to avoid detection and deploy newer and more effective post-exploitation payloads. It is very likely that Trickbot will remain one of the main players in exploitation campaigns and continues to expand its use in the crime as a service market.
For a full list of security content, check out the release notes on Splunk Docs:
This content was originally published here.