www.vkremez.com
Open in
urlscan Pro
2606:4700:3031::6815:459
Public Scan
Submitted URL: http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
Effective URL: https://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
Submission: On November 16 via api from US — Scanned from DE
Effective URL: https://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
Submission: On November 16 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Dec
21
LET'S LEARN: INTRODUCING NEW TRICKBOT LDAP "DOMAINGRABBER" MODULE
Goal: Reverse the latest Trickbot’s module called “DomainGabber," also known as
"domainDll32," used for LDAP harvesting of domain controller configuration.
Source:
* domainDll32 (encoded) (cec42d8ef68aae0a5da8230db75d91fd)
* domainDll32 (decoded) (1e2791877da02d49998dea79515a89ca)
* Trickbot loader (b4d342dc89bc16a1acccd40204064830)
> looks like anew #trickbot . Don't know distribution method.
> hxxp://sumnercapital.com[.]au/ser1812.png not doing much in sandboxes.
> https://t.co/hDrMFerQqU https://t.co/WUhfRXk5Xf https://t.co/6YGQ6L7dhn
> @VK_Intel @James_inthe_box @malware_traffic @iCyberFighter
> — My Online Security (@dvk01uk) December 18, 2017
Background
While analyzing one of the latest Trickbot group tag “ser1812/tt0002” (version
1000105-1000106) loaders shared by @dvk01uk found an interesting a Trickbot
module titled “domainDll” module. (Tip: the "tt0002" group tag is known as a
"Trick Test" tag; it is oftentimes deployed to update the existing config on the
victim machine.)
Trickbot "DomainGrabber" outline:
I. Lightweight Directory Access Protocol (LDAP) query for domain controllers
II. Connection to "SYSVOL" domain controller
III. Harvesting domain controller XML configuration
As usual, the decoded module contains four Trickbot exported functions:
Start
Control
FreeBuffer
Release
The observed Trickbot main config module was as follows (version 1000106):
<mcconf>
<ver>1000106</ver>
<gtag>tt0002</gtag>
<servs>
<srv>200.111.97[.]235:449</srv>
<srv>177.250.126[.]51:449</srv>
<srv>94.250.253[.]142:443</srv>
<srv>82.146.48[.]44:443</srv>
<srv>80.87.199[.]190:443</srv>
<srv>82.146.49[.]135:443</srv>
<srv>82.146.48[.]187:443</srv>
<srv>37.46.133[.]10:443</srv>
<srv>92.53.91[.]15:443</srv>
<srv>188.120.243[.]242:443</srv>
<srv>92.53.66[.]177:443</srv>
<srv>92.53.78[.]228:443</srv>
<srv>92.53.66[.]162:443</srv>
<srv>82.146.48[.]243:443</srv>
<srv>37.46.131[.]45:443</srv>
<srv>78.24.218[.]168:443</srv>
<srv>37.46.133[.]14:443</srv>
<srv>62.109.17[.]228:443</srv>
<srv>82.146.61[.]103:443</srv>
<srv>82.146.61[.]140:443</srv>
<srv>82.146.61[.]247:443</srv>
<srv>92.63.96[.]24:443</srv>
<srv>194.87.232[.]167:443</srv>
<srv>185.158.114[.]164:443</srv>
<srv>37.230.112[.]104:443</srv>
<srv>194.87.103[.]83:443</srv>
<srv>92.53.91[.]113:443</srv>
<srv>37.230.113[.]100:443</srv>
<srv>95.213.195[.]221:443</srv>
<srv>37.230.113[.]118:443</srv>
<srv>194.87.238[.]4:443</srv>
<srv>194.87.98[.]166:443</srv>
<srv>195.2.253[.]125:443</srv>
<srv>94.250.248[.]168:443</srv>
<srv>179.43.160[.]53:443</srv>
<srv>37.46.133[.]251:443</srv>
<srv>194.87.144[.]222:443</srv>
</servs>
<autorun>
<module name="systeminfo" ctl="GetSystemInfo" />
<module name="injectDll" />
</autorun>
</mcconf>
Summary
"domainDll32," compiled via 'GCC: (Rev1, Built by MSYS2 project) 7.2.0,' allows
Trickbot operators to collect domain controller information once they are
already on the compromised machine. This module is internally called
"DomainGrabber" and accepts command "getdata" in order to start harvest domain
information. domainDll appears to be aimed at exploiting networks with unsecured
domain controllers.
More specifically, this module targets "SYSVOL" for domain configuration
information data. According to Microsoft, "SYSVOL is simply a folder which
resides on each and every domain controller within the domain. It contains the
domains public files that need to be accessed by clients and kept synchronised
between domain controllers. The default location for the SYSVOL is
C:\Windows\SYSVOL although it can be moved to another location during the
promotion of a domain controller. It’s possible but not recommended to relocate
the SYSVOL after DC promotion as there is potential for error. The SYSVOL folder
can be accessed through its share \\domainname.com\sysvol or the local share
name on the server \\servername\sysvol."
What is more, SYSVOL stores various logon scripts, group policy and domain
configuration XML data that is synchronized among all domain controllers in the
network. Essentially, Trickbot grabs credential and group policy information
stored in SYSVOL as follows:
groups.xml
services.xml
scheduledtasks.xml
datasources.xml
printers.xml
drives.xml
Sean Metcalf has an interesting write-up on how LDAP can be exploited for
credential and information harvesting highlighting this similar approach
leveraged by the Trickbot gang.
I. This Trickbot module was programmed leveraging Active Directory Service
Interfaces (ADSI) APIs to query LDAP.
IIDFromString "{001677D0-FD16-11CE-ABC4-02608C9E7553}
IID_IADsContainer is defined as 001677D0-FD16-11CE-ABC4-02608C9E7553
ads_open = ADsOpenObject("G", 0, 0, 1u, &iid, &v11);
DsOpenObject function binds to an ADSI object using explicit user name and
password starting with the letter "G"
IIDFromString(L"{00020404-0000-0000-C000-000000000046}", &iid);
The GUID associated with the IEnumVARIANT interface
IIDFromString(L"{109BA8EC-92F0-11D0-A790-00C04FD8D5A8}", &iid);
-IID_IDirectorySearch is defined as 109BA8EC-92F0-11D0-A790-00C04FD8D5A8
The module queries all domain controllers as follows:
(&(objectCategory=computer)
(userAccountControl:1.2.840.113556.1.4.803:=8192))
II. Trickbot connects to domain controller and queries SYSVOL
leveraging parsing the aforementioned LDAP query.
The relevant pseudocoded C++ function is as follows:
str_func((int)&name, 260, "%ls", *(_DWORD *)(v6 + 8));
v26 = gethostbyname(&name);
if ( v26 )
{
v25 = (struct in_addr *)*v26->h_addr_list;
v2 = inet_ntoa(*v25);
MultiByteToWideChar(0, 1u, v2, -1, &WideCharStr, 32);
v30 = DsRoleGetPrimaryDomainInformation(0,
DsRolePrimaryDomainInfoBasic, &Buffer);
if ( v30 )
return v21;
snwprintf_s(&DstBuf, 260u, 260u, L"\\\\%ls\\SYSVOL\\%ls",
&WideCharStr, *((_DWORD *)Buffer + 3));
memset(&Dst, 0, 0x20u);
lpName = &DstBuf;
v30 = WNetAddConnection2W((LPNETRESOURCEW)&Dst, 0, 0, 0);
if ( !v30 )
{
finder_files((int)&DstBuf);
WNetCancelConnection2W(lpName, 0, 0);
III. Finally, Trickbot queries stored domain controller for sensitive XML
configurations such as scheduledtasks.xml, datasources.xml printers.xml, and
etc.
Some of the mitigations against LDAP exploitation are well-documented in
Metcalf's article listed above. As a general rule of thumb, such configuration
files should be secured from any unauthorized access in SYSVOL, and access to
them should be monitored.
Posted 21st December 2017 by Vitali Kremez
Labels: cybecriminal reverse engineering
0
ADD A COMMENT
Diese Website verwendet Cookies von Google, um Dienste anzubieten und Zugriffe
zu analysieren. Deine IP-Adresse und dein User-Agent werden zusammen mit
Messwerten zur Leistung und Sicherheit für Google freigegeben. So können
Nutzungsstatistiken generiert, Missbrauchsfälle erkannt und behoben und die
Qualität des Dienstes gewährleistet werden.Weitere InformationenOk
VITALI KREMEZ | ETHICAL HACKER | REVERSE ENGINEER
Sidebar
* Classic
* Flipcard
* Magazine
* Mosaic
* Sidebar
* Snapshot
* Timeslide
Pages
* About Me
* Home
* Cyber Security
* Intel
* Programming
* Reverse Engineering
* Penetration Test
* Exploit Development
* Win32 Assembly
* Cyber Security
LET'S LEARN: TRICKBOT "BAZARBACKDOOR" PROCESS HOLLOWING INJECTION PRIMER
LET'S LEARN: INSIDE PARALLAX RAT MALWARE: PROCESS HOLLOWING INJECTION & PROCESS
DOPPELGÄNGING API MIX: PART I
1
LET'S LEARN: DIVING DEEPER INTO "MOZART" TLD LOADER & DNS TLD COMMANDS
1
LET'S LEARN: DISSECTING LAZARUS WINDOWS X86 LOADER INVOLVED IN CRYPTO TRADING
APP DISTRIBUTION: "SNOWMAN" & ADVOBFUSCATOR
1
LET'S LEARN: DEEPER DIVE INTO GOLANG CONSTRUCTS OF RANSOMWARE CALLED "SHIFR"
LET'S LEARN: DISSECTING OPERATION SHADOWHAMMER SHELLCODE INTERNALS IN
CRT_EXITPROCESS
2
LET'S LEARN: DISSECTING LAZARUS POWERSHELL POWERRATANKBA.B, INSTALLER SCRIPT &
KEYLOGGER: PAKISTAN VERSION
LET'S LEARN: PROGRESSION OF APT28 AUTOIT ZEBROCY DOWNLOADERS: SOURCE-CODE LEVEL
ANALYSIS
1
LET'S LEARN: (OVER)ANALYZING ONE OF THE LATEST APT28 ZEPAKAB/ZEBROCY DELPHI
IMPLANT
LET'S LEARN: DEEPER DIVE INTO GAMAREDON GROUP PTERANODON IMPLANT VERSION '_512'
LET'S LEARN: PROGRESSION OF APT28/SOFACY GOLANG ZEBROCY LOADER 'PROJECT2.GO':
WMIC & HEX DECODE
LET'S LEARN: IN-DEPTH ON APT28/SOFACY ZEBROCY GOLANG LOADER
2
LET'S LEARN: DISSECTING APT28 ZEBROCY DELPHI LOADER/BACKDOOR VARIANTS: VERSION
6.02 -> VERSION 7.00
LET'S LEARN: REVIEWING SOFACY'S "ZEBROCY" C++ LOADER: ADVANCED INSIGHT
1
LET'S LEARN: IN-DEPTH ON SOFACY CANNON LOADER/BACKDOOR REVIEW
LET'S LEARN: IN-DEPTH REVIEW OF FIN7 VBA MACRO & LIGHTWEIGHT JAVASCRIPT BACKDOOR
LET’S LEARN: INTRODUCING LATEST TRICKBOT POINT-OF-SALE FINDER MODULE
LET'S LEARN: IN-DEPTH REVERSING OF HANCITOR DROPPER/LOADER: 2016 VS 2018 MALWARE
PROGRESSION
LET'S LEARN: EXPLORING ZEUSVM BANKING MALWARE HOOKING ENGINE
1
LET'S LEARN: DISSECTING DRIDEX BANKING MALWARE PART 1: LOADER AND AVAST
"SNXK.DLL" HOOKING LIB
1
LET'S LEARN: DEEPER DIVE INTO "ICEDID"/"BOKBOT" BANKING MALWARE: PART 1
LET'S LEARN: IN-DEPTH REVERSING OF RECENT GOZI ISFB BANKING MALWARE VERSION
2.16/2.17 (PORTION OF ISFB V3) & "LOADER.DLL/CLIENT.DLL"
1
LET'S LEARN: DISSECTING PANDA BANKER & MODULES: WEBINJECT, GRABBER & KEYLOGGER
DLL MODULES
2
LET'S LEARN: DIVING INTO THE LATEST "RAMNIT" BANKER MALWARE VIA "SLOAD"
POWERSHELL
LET'S LEARN: IN-DEPTH REVERSING OF QAKBOT "QBOT" BANKER PART 1
LET'S LEARN: DECODING LATEST "TRICKBOT" LOADER STRING TEMPLATE & NEW TOR PLUGIN
SERVER COMMUNICATION
LET'S LEARN: IN-DEPTH DIVE INTO GOOTKIT BANKER VERSION 4 MALWARE ANALYSIS
LET'S LEARN: IN-DEPTH REVERSING OF GRANDSOFT EXPLOIT KIT PLUGINDETECT VERSION
"0.9.1" AND ITS VBSCRIPT MEMORY CORRUPTION CVE-2016-0189 EXPLOIT
LET'S LEARN: TRICKBOT IMPLEMENTS NETWORK COLLECTOR MODULE LEVERAGING CMD, WMI &
LDAP
MALWARE TRAFFIC INTERNALS: BLACKTDS SOCIAL ENGINEERING DRIVE-BY LEADS TO FAKE
"ADOBE FLASH PLAYER"
MALWARE SPAM INTERNALS: DOCUSIGN SPAM LEADS DRIDEX BANKING MALWARE BOTNET ID
“23005”
MALWARE TRAFFIC INTERNALS: BLACKTDS LEADS TO GOOTKIT BANKING MALWARE
DISTRIBUTION
LET'S LEARN: INTERNALS OF IRANIAN-BASED THREAT GROUP "CHAFER" MALWARE: AUTOIT
AND POWERSHELL PERSISTENCE
LET'S LEARN: DEEPER DIVE INTO RAMNIT BANKER "VNC IFSB" REMOTE CONTROL MODULE
LET'S LEARN: DISSECTING FORMBOOK INFOSTEALER MALWARE: CRYPTER & "RUNLIB.DLL"
LET'S LEARN: DISSECT RIG EXPLOIT KIT ANTI-BOT FILTER GATE
LET'S LEARN: DISSECT PANDA BANKING MALWARE'S "LIBINJECT" PROCESS INJECTION
MODULE
LET'S LEARN: CUTLET ATM MALWARE INTERNALS
1
LET'S LEARN: INTRODUCING NEW TRICKBOT LDAP "DOMAINGRABBER" MODULE
LET'S LEARN: DEEP DIVE INTO MAGNIBER RANSOMWARE PEB TRAVERSAL FUNCTION
UPDATE: LET'S LEARN: REVERSING FIN6 "GRATEFULPOS" AKA "FRAMEWORKPOS"
POINT-OF-SALE MALWARE IN-DEPTH
7
LET'S LEARN: TRICKBOT SOCKS5 BACKCONNECT MODULE IN DETAIL
LET'S LEARN: DISSECTING GOLROTED TROJAN'S PROCESS HOLLOWING TECHNIQUE & UAC
BYPASS IN HKCU\ENVIRONMENT
5
LET'S LEARN: LETHIC SPAMBOT & SURVEY OF ANTI-ANALYSIS TECHNIQUES
LET'S LEARN: REVERSING TRICKBOT BANKING TROJAN'S NEW "WORMSHARE" PERSISTENCE
MODULE
LET'S LEARN: TRICKBOT BANKING TROJAN ADDS CREDENTIAL STEALER TO INJECT MODULE &
TARGETS WINDOWS 10 EDGE BROWSER
LET'S LEARN: PREPARING SHELLCODE IN NASM
CRIDEX/GEODO/EMOTET/DRIDEX NODE MAP VISUALIZER
LET'S LEARN: IN-DEPTH REVERSING RIG EXPLOIT KIT'S VBSCRIPT MEMORY CORRUPTION
(CVE-2016-0189)
LET'S LEARN: HOW TO OBTAIN CERBER (CRBR) RANSOMWARE CONFIGURATION
Apr
25
LET'S LEARN: TRICKBOT "BAZARBACKDOOR" PROCESS HOLLOWING INJECTION PRIMER
Goal: Review the latest stealthy TrickBot group backdoor dubbed as
"BazarBackdoor" as well as its process injection methodology approach.
Source:
Crypted Loader SHA-256: 1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83
64-bit Backdoor SHA-256: 5974d938bc3bbfc69f68c979a6dc9c412970fc527500735385c33377ab30373a
Outline:
I. BazarBackdoor: Background & Executive Summary
II. BazarLoader: Process Hollowing Methodology
III. BazarBackdoor: Overview
IV. Yara Signature: BazarBackdoor Payload
V. Mitre ATT&CK Framework: BazarBackdoor Payload
VI. Network JA3 Signature: BazarLoader Malware
I. BazarBackdoor: Background & Executive Summary
BazarBackdoor is the new stealthy covert malware leveraged for high-value
targets part of the TrickBot group toolkit arsenal. For more overall
information, please read the BleepingComputer report from Lawrence Abrams
related to this malware functionality and discovery.
The malware was signed “VB CORPORATE PTY. LTD.” as DigiCert
The TrickBot backdoor is a lightweight malware aimed to evade detection and be
lightweight. It leverages a known TrickBot group crypter with the notable
VirtualAllocExNuma API and RC4 decoder sequence.
The TrickBot Anchor project and this backdoor both utilize the same Emercoin DNS
for the server communication via /api/ request for the payload with architecture
configuration (for example, /api/86 and /api/88). By and large, Emercoin DNS is
a legitimate provider that leveraged for .bazar domain resolution.
The goal of this fileless loader and backdoor is not to elevate privileges but
to avoid any detection possible staying silently and only loading extra
functionality as extra features. In case they get flagged as malicious, the bot
would still remain in the system.
The malware combination consists of two parts: loader and bot. The bot goal is
to execute binaries, scripts, and modules, kill processes and remove itself from
the compromised machine.
II. BazarLoader: Process Hollowing Methodology
The malware utilizes the process hollowing injection approach injecting the core
backdoor into svchost.exe via the following sequence CreateProcessA(0,
pDestCmdLine, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &startupInfo, &processInfo) ->
Find PEB -> Locate Remote Image
NtUnmapViewOfSection -> VirtualAllocEx
-> VirtualAllocEx(processInfo.hProcess, peb.ImageBaseAddress,
...,MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) -> WriteProcessMemory ()
-> WriteProcessMemory (SourceImage.NumberOfSections)
III. BazarLoader: Host Persistence
The loader adds itself to \Software\Microsoft\Windows\CurrentVersion\Run and
uses its process key for persistence.
The malware decryption routine is as follows:
const char *Encrypt_Decrypter()
{
...
BYTE key = key;
for (int i = 0; i < len; i++)
{
ptr[i] = ptr[i + 1] ^ key;
key++;
}
}
IV. BazarBackdoor: Overview
The backdoor goal is to execute binaries, scripts, and modules, kill processes
and remove itself from the compromised machine.
V. Yara Signature: BazarBackdoor Payload
rule crime_win64_backdoor_bazarbackdoor1 {
meta:
description = "Detects BazarBackdoor injected 64-bit malware"
author = "@VK_Intel"
reference = "https://twitter.com/pancak3lullz/status/1252303608747565057"
tlp = "white"
date = "2020-04-24"
strings:
$str1 = "%id%"
$str2 = "%d"
$start = { 48 ?? ?? ?? ?? 57 48 83 ec 30 b9 01 00 00 00 e8 ?? ?? ?? ?? 84 c0 0f ?? ?? ?? ?? ?? 40 32 ff 40 ?? ?? ?? ?? e8 ?? ?? ?? ?? 8a d8 8b ?? ?? ?? ?? ?? 83 f9 01 0f ?? ?? ?? ?? ?? 85 c9 75 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 74 ?? b8 ff 00 00 00 e9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? eb ?? 40 b7 01 40 ?? ?? ?? ?? 8a cb e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 8b d8 48 ?? ?? ?? 74 ??}
$server = {40 53 48 83 ec 20 48 8b d9 e8 ?? ?? ?? ?? 85 c0 75 ?? 0f ?? ?? ?? ?? ?? ?? 66 83 f8 50 74 ?? b9 bb 01 00 00 66 3b c1 74 ?? a8 01 74 ?? 48 8b cb e8 ?? ?? ?? ?? 84 c0 75 ?? 48 8b cb e8 ?? ?? ?? ?? b8 f6 ff ff ff eb ?? 33 c0 48 83 c4 20 5b c3}
condition:
( uint16(0) == 0x5a4d and ( 3 of them ) ) or ( all of them )
}
VI. Mitre ATT&CK Framework: BazarBackdoor Payload
The mapped Mitre ATT&CK Framework is as follows:
Mitre ATT&CK Framework:
* T1093 - Process Hollowing
* Signature - TransactedHollowing
* T1055 - Process Injection
* Signature - InjectionInterProcess
VII. Network JA3 Signature: BazarLoader Malware
(f5e62b5a2ed9467df09fae7a8a54dda6)
The hostnames used for the command-and-control servers are:
forgame.bazar
bestgame.bazar
thegame.bazar
newgame.bazar
portgame.bazar
Posted 25th April 2020 by Vitali Kremez
Labels: bazarbackdoor crimeware injection trickbot
0
ADD A COMMENT
Loading