Trickbot loader using Heaven’s gate technique to inject its final payload into a 64 bit process wermgr.exe.
It is difficult to analyze it, but i will try my best ✌.
Version: 1106
I’m created annotation script for both IDA pro and Ghidra to make my life easier 😌, you can get it here 😏.
Main flow
Create Scheduled Task
This time the task name called Hdd info application .
The target binary is placed in appdata\roaming\HddInfo<RandNum>
The scheduled task create via COM API.
Create file with unknown extension
Create file endswith .sut in folder path %APPDATA%
Getting system info
Getting system privilege
Using typical AdjustTokenPrivilege or ConvertSecurityDescriptorToStringSecurityDescriptor with specific SSDL -> AllocateAndInitializeSid and EqualSid .
General format: (A;;Access;;;SID)SSDL Found in the sample:
D:(A;;GA;;; # WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)Translated meaning:
Generic_All for World, Administrators, System and Restricted Code
Create mutex, Global\{CLSID}
Typical mutex generator using clsid if the StringFromCLSID is success,
Settings.ini base64 custom key
Hardcoded base64 custom key is used and it is same with the one mentioned in Malwarebyte blog. The only difference is the ‘n’ value in shuffle key function, it is 10 in the this sample. The xor function still the same.
Module’s export name
It’s export name with the previous version here.
IP blocklist check via DNS service
It will iterate through these DNS checker to identify whether the resolved IP is blocked or not.
zen.spamhaus.org
cbl.abuseat.org
b.barracudacentral.org
dnsbl-1.uceprotect.net
spam.dnsbl.sorbs.net
Check is behind NAT
Using gethostname and getaddrinfo to check whether the system IP is a private or not.
Download Trickbot module
Different value will determine which request to be send and also the requested module. These most of the value is hardcoded in the 3rd paramter of download module function.
Module decryption
Based on the analysis, the decryption module should be similar with hasherezade script.
Inject module into svchost.exe
Create a svchost.exe process with suspended mode 0x4, and the overall process injection technique has been well explained in VIPRE blog.
Also it seems like getting the explorer.exe with SeTcbPrivilege if the something wrong when execute the module payload.
Create child process with unknown command
RDP attack similar with Wanncry (Good analysis from Panda blog)
Mainly compromise RDP connection by enumerating through the user session via WTSapi32.dll, advapi32.dll and kernel32.dll related function.
Create process cmd.exe /c cscript
It seems like it targets some file in tmp folder.
Set environment variable PROMPT
Get External IP
It can be see that it loop through index between 0x1 to 0xc, plus it followed by some http related function call. So, the decode_string function is targeting some url. Then, it matches the output of the decode script created earlier.
0x1): checkip.amazonaws.com
0x2): ipecho.net
0x3): ipinfo.io
0x4): api.ipify.org
0x5): icanhazip.com
0x6): myexternalip.com
0x7): wtfismyip.com
0x8): ip.anysrc.net
0x9): api.ipify.org
0xa): api.ip.sb
0xb): ident.me
0xc): www.myexternalip.comBDNS
Using blockchian-dns to get DNS resolution from .bazar domain. Some reading on bdns can be found here.
bdns.at bdns.by bdns.co bdns.im bdns.link bdns.nu bdns.pro b-dns.se
It still have something that I didn’t cover (e.g. encrypted config files with lots of c2 as it is already common in every Trickbot sample since the beginning), and I hope it helps other people when analyzing Trickbot 😃
References
Github code
