Dyre Authors Apparently Working on New Banking Trojan

Discussion in 'malware problems & news' started by ronjor, Oct 17, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    60,067
    Location:
    Texas
    By Eduard Kovacs on October 17, 2016
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,916
    https://www.infosecurity-magazine.com/news/trickbot-enhances-attack-vecto/
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,768
    Location:
    U.S.A.
    Here's a very detailed analysis of Trickbot: https://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot

    To say it is nasty would be an understatement. Appears just opening a Word document can get you infected. Although the standard malware trick of displaying a message about opening outside of protected mode and enabling macros is displayed, it is a decoy with the payload already being downloaded. In other words. the target has enabled VBA project model setting for macros.

    Malware has a lot in common with latest Dridex variant since process thread hijacking is used. The dropper process creates a suspended child process in memory, injects its malware code and decrypts it, and then launches it. In other words, fileless malware behavior.

    Also this puppy runs with System privileges and installs itself in the system32\config\systmprofile\AppData\Roaming directory. This directory is used by the OS to run files with System privileges just like user apps are run from %AppData% directory.

    Persistence is maintained by creating a scheduled task and by creating registry entries to hijack the browser.
     
    Last edited: Apr 28, 2017
  4. mWave

    mWave Registered Member

    Joined:
    Oct 30, 2016
    Posts:
    93
    Location:
    United Kingdom
    Thanks for the share, interesting read. :)

    ----
    I am not sure why Fortinet do not just say that the sample uses Dynamic Forking (also known as "Process Hollowing" or "RunPE") after the details; it's evidently clear that this is occurring due to the API calls passing through the NTDLL.DLL system call layer; NtUnmapViewOfSection, NtAllocateVirtualMemory, NtGetContextThread, NtSetContextThread and NtResumeThread. It starts off with the call to NtCreateUserProcess (the NTAPI function eventually called when using CreateProcessA/W) where it is being started in a suspended state (which is why NtResumeThread is used at the end - resume the process after the modifications).

    I am confused as to why the Task Scheduler was even used for obtaining SYSTEM privileges, since it implies the malware already had administrator privileges. This also means that the malware could have installed a device driver to auto-elevate an already existent process to be running under the NT Authority Account (SYSTEM), or it could have simply created a new Windows Service which would then steal the token from a Windows process already running under SYSTEM like winlogon.exe (where it is not protected from a handle being obtained) -> CreateProcessAsUser (Win32 API call) and use the token which was stolen to force the process to be ran under the SYSTEM account.

    The code injection isn't even via manual map (injection without the DLL being linked to the PEB, ModulesList) or thread hijacking/codecave, it's just using CreateRemoteThread (monitored by almost every proper serious AV product on the market, and this monitoring is achieved through hooking NtCreateThreadEx). Simply hook NtAllocateVirtualMemory, NtWriteVirtualMemory and NtCreateThreadEx -> when the remote thread is being created, check the logged info to see if any hooks on NtAllocateVirtualMemory/NtWriteVirtualMemory had been triggered previously and use the info from the parameters on that to identify injection behavior (e.g. because sometimes there are legitimate purposes for calling those functions, not related to DLL injection).

    Like at the least it could have used some system calls, and for x86-x64 it could've just handled the SysWow ntdll.dll!Wow64Transition to add that support.

    Honestly this banking Trojan is pretty crap - the only reason why some might make out it's advanced is probably because a majority of the malware in the wild is even crapper these days.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,812
    It was an interesting read. Appguard and MZwritescanner would have given it a run for it's money
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,768
    Location:
    U.S.A.
    Just as Dridex v4 got "creative" by employing atombombing, I am sure Trickbot will likewise find another area of Windows to exploit. After all, there certainly seem to be many of those .....
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,768
    Location:
    U.S.A.
    What is unique about Trickbot is its creation of a SID as noted below:
    -EDIT- Will also add that I have never seen a SID created the way this malware did so. You used to be able to create a new SID using the NEWSID tool: https://oasysadmin.com/2012/02/27/generate-a-new-sid-on-windows-server-2008-and-windows-7/ prior Win 7. Appears this malware found a new vulnerability similar to atombombing.
     
    Last edited: Apr 28, 2017
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,350
    Location:
    The Netherlands
    Interesting analysis! And yes, it seems to be using process hollowing which is a very popular method nowadays. So if you can block this you're already good. Strangely enough it's not using any system process like explorer.exe or svchost.exe? And it's probably using the CreateRemoteThread method since it perhaps assumes that processes with system rights are not monitored by HIPS?

    Lastly, certain HIPS like Zemana and SpyShelter will try to block the modification of browser hooks, so this would block it from hijacking browser traffic, even if you can't block code injection. In theory this would even stop Dridex which uses the atom-bombing method.
     
  9. mWave

    mWave Registered Member

    Joined:
    Oct 30, 2016
    Posts:
    93
    Location:
    United Kingdom
    This method of injection is incredibly easy to identify, since if you do not manual map the DLL into the target process it'll be found within the ModulesList in the PEB (Process Environment Block); however, if you manual map the injection, you won't find the injected module as a module within the process in a tool like Process Hacker, it's much more difficult to detect.
     
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,397
    Heap space? I wonder how many developers get question about if their software X will prevent against this type of attack or all the new ones that come out every week? Who do we know that exploit protection?
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,768
    Location:
    U.S.A.
    Most of the major AV vendor products have exploit protection; Eset and Kaspersky definitely have it. If you don't want to use one of those, there is HMP-A.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,768
    Location:
    U.S.A.
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,350
    Location:
    The Netherlands
    There are certain tools designed to detect modified API hooks inside browser memory, no matter what code injection method was used. Tools that should in theory be able to do this: Zemana, SpyShelter, Trusteer, HitmanPro.Alert and G DATA Internet Security.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,768
    Location:
    U.S.A.
    IBM has Trickbot samples here: https://exchange.xforce.ibmcloud.co...g-Collection-7de0fbe1c87471ca9e259db9dc075aa5
    https://securityintelligence.com/tr...-for-targets-with-redirection-attacks-in-tow/
     
  15. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,397
    "Mitigating TrickBot Attacks
    Banks looking for technological solutions to mitigate threats such as malware attacks and redirection schemes are invited to learn more about the IBM Security Trusteer Fraud Protection Suite. To learn more about mitigating threats such as the TrickBot Trojan, users can visit our post for tips and advice to apply in everyday browsing."

    I wonder who was paying for this write up?
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,768
    Location:
    U.S.A.
    Actually, a number of banks use Trusteer. Those that do will offer a free download of the client ver. to their customers. I tried it multiple times on Win 7 and it was a "system hog" resource-wise. Haven't tried it on Win 10.
     
Loading...