Dyre Authors Apparently Working on New Banking Trojan

Discussion in 'malware problems & news' started by ronjor, Oct 17, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
    By Eduard Kovacs on October 17, 2016
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    https://www.infosecurity-magazine.com/news/trickbot-enhances-attack-vecto/
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Here's a very detailed analysis of Trickbot: https://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot

    To say it is nasty would be an understatement. Appears just opening a Word document can get you infected. Although the standard malware trick of displaying a message about opening outside of protected mode and enabling macros is displayed, it is a decoy with the payload already being downloaded. In other words. the target has enabled VBA project model setting for macros.

    Malware has a lot in common with latest Dridex variant since process thread hijacking is used. The dropper process creates a suspended child process in memory, injects its malware code and decrypts it, and then launches it. In other words, fileless malware behavior.

    Also this puppy runs with System privileges and installs itself in the system32\config\systmprofile\AppData\Roaming directory. This directory is used by the OS to run files with System privileges just like user apps are run from %AppData% directory.

    Persistence is maintained by creating a scheduled task and by creating registry entries to hijack the browser.
     
    Last edited: Apr 28, 2017
  4. mWave

    mWave Guest

    Thanks for the share, interesting read. :)

    ----
    I am not sure why Fortinet do not just say that the sample uses Dynamic Forking (also known as "Process Hollowing" or "RunPE") after the details; it's evidently clear that this is occurring due to the API calls passing through the NTDLL.DLL system call layer; NtUnmapViewOfSection, NtAllocateVirtualMemory, NtGetContextThread, NtSetContextThread and NtResumeThread. It starts off with the call to NtCreateUserProcess (the NTAPI function eventually called when using CreateProcessA/W) where it is being started in a suspended state (which is why NtResumeThread is used at the end - resume the process after the modifications).

    I am confused as to why the Task Scheduler was even used for obtaining SYSTEM privileges, since it implies the malware already had administrator privileges. This also means that the malware could have installed a device driver to auto-elevate an already existent process to be running under the NT Authority Account (SYSTEM), or it could have simply created a new Windows Service which would then steal the token from a Windows process already running under SYSTEM like winlogon.exe (where it is not protected from a handle being obtained) -> CreateProcessAsUser (Win32 API call) and use the token which was stolen to force the process to be ran under the SYSTEM account.

    The code injection isn't even via manual map (injection without the DLL being linked to the PEB, ModulesList) or thread hijacking/codecave, it's just using CreateRemoteThread (monitored by almost every proper serious AV product on the market, and this monitoring is achieved through hooking NtCreateThreadEx). Simply hook NtAllocateVirtualMemory, NtWriteVirtualMemory and NtCreateThreadEx -> when the remote thread is being created, check the logged info to see if any hooks on NtAllocateVirtualMemory/NtWriteVirtualMemory had been triggered previously and use the info from the parameters on that to identify injection behavior (e.g. because sometimes there are legitimate purposes for calling those functions, not related to DLL injection).

    Like at the least it could have used some system calls, and for x86-x64 it could've just handled the SysWow ntdll.dll!Wow64Transition to add that support.

    Honestly this banking Trojan is pretty crap - the only reason why some might make out it's advanced is probably because a majority of the malware in the wild is even crapper these days.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It was an interesting read. Appguard and MZwritescanner would have given it a run for it's money
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Just as Dridex v4 got "creative" by employing atombombing, I am sure Trickbot will likewise find another area of Windows to exploit. After all, there certainly seem to be many of those .....
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    What is unique about Trickbot is its creation of a SID as noted below:
    -EDIT- Will also add that I have never seen a SID created the way this malware did so. You used to be able to create a new SID using the NEWSID tool: https://oasysadmin.com/2012/02/27/generate-a-new-sid-on-windows-server-2008-and-windows-7/ prior Win 7. Appears this malware found a new vulnerability similar to atombombing.
     
    Last edited: Apr 28, 2017
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Interesting analysis! And yes, it seems to be using process hollowing which is a very popular method nowadays. So if you can block this you're already good. Strangely enough it's not using any system process like explorer.exe or svchost.exe? And it's probably using the CreateRemoteThread method since it perhaps assumes that processes with system rights are not monitored by HIPS?

    Lastly, certain HIPS like Zemana and SpyShelter will try to block the modification of browser hooks, so this would block it from hijacking browser traffic, even if you can't block code injection. In theory this would even stop Dridex which uses the atom-bombing method.
     
  9. mWave

    mWave Guest

    This method of injection is incredibly easy to identify, since if you do not manual map the DLL into the target process it'll be found within the ModulesList in the PEB (Process Environment Block); however, if you manual map the injection, you won't find the injected module as a module within the process in a tool like Process Hacker, it's much more difficult to detect.
     
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Heap space? I wonder how many developers get question about if their software X will prevent against this type of attack or all the new ones that come out every week? Who do we know that exploit protection?
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Most of the major AV vendor products have exploit protection; Eset and Kaspersky definitely have it. If you don't want to use one of those, there is HMP-A.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    There are certain tools designed to detect modified API hooks inside browser memory, no matter what code injection method was used. Tools that should in theory be able to do this: Zemana, SpyShelter, Trusteer, HitmanPro.Alert and G DATA Internet Security.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    IBM has Trickbot samples here: https://exchange.xforce.ibmcloud.co...g-Collection-7de0fbe1c87471ca9e259db9dc075aa5
    https://securityintelligence.com/tr...-for-targets-with-redirection-attacks-in-tow/
     
  15. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    "Mitigating TrickBot Attacks
    Banks looking for technological solutions to mitigate threats such as malware attacks and redirection schemes are invited to learn more about the IBM Security Trusteer Fraud Protection Suite. To learn more about mitigating threats such as the TrickBot Trojan, users can visit our post for tips and advice to apply in everyday browsing."

    I wonder who was paying for this write up?
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, a number of banks use Trusteer. Those that do will offer a free download of the client ver. to their customers. I tried it multiple times on Win 7 and it was a "system hog" resource-wise. Haven't tried it on Win 10.
     
  17. guest

    guest Guest

    TrickBot Banking Trojan Gets Screenlocker Component
    March 22, 2018
    https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-gets-screenlocker-component/
     
  18. guest

    guest Guest

    TrickBot's Screenlocker Module Isn't Meant for Ransomware Ops
    April 24, 2018
    https://www.bleepingcomputer.com/ne...nlocker-module-isnt-meant-for-ransomware-ops/
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I was thinking, shouldn't all banking trojans fail against sites protected with 2FA? I never understood how they could bypass this.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Because 2FA has nothing to do with their activities. Banking Trojans hijack the browser using methods like .dll, memory, etc. injection. For example, using a keylogger or screen capturer. I have noticed that most banking web sites now hide entered logon data fields such as passwords and the like.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    The thing is, I have been reading about banking trojans quite a lot in the last few years, but they never really explain how 2FA is bypassed. In certain cases they will have to infect both PC and smartphone.

    But how to bypass one time passwords, generated by hardware authenticators? Even if malware hijacks the browser (via code injection + API Hooking) and redirects users to a modified or fake banking site you still need the OTP. So I can't fully visualize it.

    https://www.vasco.com/products/two-factor-authenticators/hardware/index.html
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This process in different. The problem is many bank web sites only employ this for exceptional banking activities. Mine for example, only employs it for monetary transfers to another external bank account where the amount exceeds a certain threshold.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, so it all depends on which bank you're using. In Holland, most banks use the OTP method, and I don't see how banking trojans can bypass this. There was one bank who didn't even use 2FA and they got nailed.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, what do you think about my idea, I don't see how banking trojans would bypass this system:

    https://www.wilderssecurity.com/thr...at-battle-has-just-begun.405239/#post-2764187
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I assume you are referring to this:
    Many banks have this in some fashion as an optional security measure. However, the "password" in the form of a numeric code is sent to your cell phone by their server. You then must enter that code with a limited time period on the bank web site logon page.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.