www.vkremez.com
Open in
urlscan Pro
2606:4700:3031::6815:459
Public Scan
Submitted URL: http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
Effective URL: https://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
Submission: On November 16 via api from US — Scanned from DE
Effective URL: https://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
Submission: On November 16 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Dec 21 LET'S LEARN: INTRODUCING NEW TRICKBOT LDAP "DOMAINGRABBER" MODULE Goal: Reverse the latest Trickbot’s module called “DomainGabber," also known as "domainDll32," used for LDAP harvesting of domain controller configuration. Source: * domainDll32 (encoded) (cec42d8ef68aae0a5da8230db75d91fd) * domainDll32 (decoded) (1e2791877da02d49998dea79515a89ca) * Trickbot loader (b4d342dc89bc16a1acccd40204064830) > looks like anew #trickbot . Don't know distribution method. > hxxp://sumnercapital.com[.]au/ser1812.png not doing much in sandboxes. > https://t.co/hDrMFerQqU https://t.co/WUhfRXk5Xf https://t.co/6YGQ6L7dhn > @VK_Intel @James_inthe_box @malware_traffic @iCyberFighter > — My Online Security (@dvk01uk) December 18, 2017 Background While analyzing one of the latest Trickbot group tag “ser1812/tt0002” (version 1000105-1000106) loaders shared by @dvk01uk found an interesting a Trickbot module titled “domainDll” module. (Tip: the "tt0002" group tag is known as a "Trick Test" tag; it is oftentimes deployed to update the existing config on the victim machine.) Trickbot "DomainGrabber" outline: I. Lightweight Directory Access Protocol (LDAP) query for domain controllers II. Connection to "SYSVOL" domain controller III. Harvesting domain controller XML configuration As usual, the decoded module contains four Trickbot exported functions: Start Control FreeBuffer Release The observed Trickbot main config module was as follows (version 1000106): <mcconf> <ver>1000106</ver> <gtag>tt0002</gtag> <servs> <srv>200.111.97[.]235:449</srv> <srv>177.250.126[.]51:449</srv> <srv>94.250.253[.]142:443</srv> <srv>82.146.48[.]44:443</srv> <srv>80.87.199[.]190:443</srv> <srv>82.146.49[.]135:443</srv> <srv>82.146.48[.]187:443</srv> <srv>37.46.133[.]10:443</srv> <srv>92.53.91[.]15:443</srv> <srv>188.120.243[.]242:443</srv> <srv>92.53.66[.]177:443</srv> <srv>92.53.78[.]228:443</srv> <srv>92.53.66[.]162:443</srv> <srv>82.146.48[.]243:443</srv> <srv>37.46.131[.]45:443</srv> <srv>78.24.218[.]168:443</srv> <srv>37.46.133[.]14:443</srv> <srv>62.109.17[.]228:443</srv> <srv>82.146.61[.]103:443</srv> <srv>82.146.61[.]140:443</srv> <srv>82.146.61[.]247:443</srv> <srv>92.63.96[.]24:443</srv> <srv>194.87.232[.]167:443</srv> <srv>185.158.114[.]164:443</srv> <srv>37.230.112[.]104:443</srv> <srv>194.87.103[.]83:443</srv> <srv>92.53.91[.]113:443</srv> <srv>37.230.113[.]100:443</srv> <srv>95.213.195[.]221:443</srv> <srv>37.230.113[.]118:443</srv> <srv>194.87.238[.]4:443</srv> <srv>194.87.98[.]166:443</srv> <srv>195.2.253[.]125:443</srv> <srv>94.250.248[.]168:443</srv> <srv>179.43.160[.]53:443</srv> <srv>37.46.133[.]251:443</srv> <srv>194.87.144[.]222:443</srv> </servs> <autorun> <module name="systeminfo" ctl="GetSystemInfo" /> <module name="injectDll" /> </autorun> </mcconf> Summary "domainDll32," compiled via 'GCC: (Rev1, Built by MSYS2 project) 7.2.0,' allows Trickbot operators to collect domain controller information once they are already on the compromised machine. This module is internally called "DomainGrabber" and accepts command "getdata" in order to start harvest domain information. domainDll appears to be aimed at exploiting networks with unsecured domain controllers. More specifically, this module targets "SYSVOL" for domain configuration information data. According to Microsoft, "SYSVOL is simply a folder which resides on each and every domain controller within the domain. It contains the domains public files that need to be accessed by clients and kept synchronised between domain controllers. The default location for the SYSVOL is C:\Windows\SYSVOL although it can be moved to another location during the promotion of a domain controller. It’s possible but not recommended to relocate the SYSVOL after DC promotion as there is potential for error. The SYSVOL folder can be accessed through its share \\domainname.com\sysvol or the local share name on the server \\servername\sysvol." What is more, SYSVOL stores various logon scripts, group policy and domain configuration XML data that is synchronized among all domain controllers in the network. Essentially, Trickbot grabs credential and group policy information stored in SYSVOL as follows: groups.xml services.xml scheduledtasks.xml datasources.xml printers.xml drives.xml Sean Metcalf has an interesting write-up on how LDAP can be exploited for credential and information harvesting highlighting this similar approach leveraged by the Trickbot gang. I. This Trickbot module was programmed leveraging Active Directory Service Interfaces (ADSI) APIs to query LDAP. IIDFromString "{001677D0-FD16-11CE-ABC4-02608C9E7553} IID_IADsContainer is defined as 001677D0-FD16-11CE-ABC4-02608C9E7553 ads_open = ADsOpenObject("G", 0, 0, 1u, &iid, &v11); DsOpenObject function binds to an ADSI object using explicit user name and password starting with the letter "G" IIDFromString(L"{00020404-0000-0000-C000-000000000046}", &iid); The GUID associated with the IEnumVARIANT interface IIDFromString(L"{109BA8EC-92F0-11D0-A790-00C04FD8D5A8}", &iid); -IID_IDirectorySearch is defined as 109BA8EC-92F0-11D0-A790-00C04FD8D5A8 The module queries all domain controllers as follows: (&(objectCategory=computer) (userAccountControl:1.2.840.113556.1.4.803:=8192)) II. Trickbot connects to domain controller and queries SYSVOL leveraging parsing the aforementioned LDAP query. The relevant pseudocoded C++ function is as follows: str_func((int)&name, 260, "%ls", *(_DWORD *)(v6 + 8)); v26 = gethostbyname(&name); if ( v26 ) { v25 = (struct in_addr *)*v26->h_addr_list; v2 = inet_ntoa(*v25); MultiByteToWideChar(0, 1u, v2, -1, &WideCharStr, 32); v30 = DsRoleGetPrimaryDomainInformation(0, DsRolePrimaryDomainInfoBasic, &Buffer); if ( v30 ) return v21; snwprintf_s(&DstBuf, 260u, 260u, L"\\\\%ls\\SYSVOL\\%ls", &WideCharStr, *((_DWORD *)Buffer + 3)); memset(&Dst, 0, 0x20u); lpName = &DstBuf; v30 = WNetAddConnection2W((LPNETRESOURCEW)&Dst, 0, 0, 0); if ( !v30 ) { finder_files((int)&DstBuf); WNetCancelConnection2W(lpName, 0, 0); III. Finally, Trickbot queries stored domain controller for sensitive XML configurations such as scheduledtasks.xml, datasources.xml printers.xml, and etc. Some of the mitigations against LDAP exploitation are well-documented in Metcalf's article listed above. As a general rule of thumb, such configuration files should be secured from any unauthorized access in SYSVOL, and access to them should be monitored. Posted 21st December 2017 by Vitali Kremez Labels: cybecriminal reverse engineering 0 ADD A COMMENT Diese Website verwendet Cookies von Google, um Dienste anzubieten und Zugriffe zu analysieren. Deine IP-Adresse und dein User-Agent werden zusammen mit Messwerten zur Leistung und Sicherheit für Google freigegeben. So können Nutzungsstatistiken generiert, Missbrauchsfälle erkannt und behoben und die Qualität des Dienstes gewährleistet werden.Weitere InformationenOk VITALI KREMEZ | ETHICAL HACKER | REVERSE ENGINEER Sidebar * Classic * Flipcard * Magazine * Mosaic * Sidebar * Snapshot * Timeslide Pages * About Me * Home * Cyber Security * Intel * Programming * Reverse Engineering * Penetration Test * Exploit Development * Win32 Assembly * Cyber Security LET'S LEARN: TRICKBOT "BAZARBACKDOOR" PROCESS HOLLOWING INJECTION PRIMER LET'S LEARN: INSIDE PARALLAX RAT MALWARE: PROCESS HOLLOWING INJECTION & PROCESS DOPPELGÄNGING API MIX: PART I 1 LET'S LEARN: DIVING DEEPER INTO "MOZART" TLD LOADER & DNS TLD COMMANDS 1 LET'S LEARN: DISSECTING LAZARUS WINDOWS X86 LOADER INVOLVED IN CRYPTO TRADING APP DISTRIBUTION: "SNOWMAN" & ADVOBFUSCATOR 1 LET'S LEARN: DEEPER DIVE INTO GOLANG CONSTRUCTS OF RANSOMWARE CALLED "SHIFR" LET'S LEARN: DISSECTING OPERATION SHADOWHAMMER SHELLCODE INTERNALS IN CRT_EXITPROCESS 2 LET'S LEARN: DISSECTING LAZARUS POWERSHELL POWERRATANKBA.B, INSTALLER SCRIPT & KEYLOGGER: PAKISTAN VERSION LET'S LEARN: PROGRESSION OF APT28 AUTOIT ZEBROCY DOWNLOADERS: SOURCE-CODE LEVEL ANALYSIS 1 LET'S LEARN: (OVER)ANALYZING ONE OF THE LATEST APT28 ZEPAKAB/ZEBROCY DELPHI IMPLANT LET'S LEARN: DEEPER DIVE INTO GAMAREDON GROUP PTERANODON IMPLANT VERSION '_512' LET'S LEARN: PROGRESSION OF APT28/SOFACY GOLANG ZEBROCY LOADER 'PROJECT2.GO': WMIC & HEX DECODE LET'S LEARN: IN-DEPTH ON APT28/SOFACY ZEBROCY GOLANG LOADER 2 LET'S LEARN: DISSECTING APT28 ZEBROCY DELPHI LOADER/BACKDOOR VARIANTS: VERSION 6.02 -> VERSION 7.00 LET'S LEARN: REVIEWING SOFACY'S "ZEBROCY" C++ LOADER: ADVANCED INSIGHT 1 LET'S LEARN: IN-DEPTH ON SOFACY CANNON LOADER/BACKDOOR REVIEW LET'S LEARN: IN-DEPTH REVIEW OF FIN7 VBA MACRO & LIGHTWEIGHT JAVASCRIPT BACKDOOR LET’S LEARN: INTRODUCING LATEST TRICKBOT POINT-OF-SALE FINDER MODULE LET'S LEARN: IN-DEPTH REVERSING OF HANCITOR DROPPER/LOADER: 2016 VS 2018 MALWARE PROGRESSION LET'S LEARN: EXPLORING ZEUSVM BANKING MALWARE HOOKING ENGINE 1 LET'S LEARN: DISSECTING DRIDEX BANKING MALWARE PART 1: LOADER AND AVAST "SNXK.DLL" HOOKING LIB 1 LET'S LEARN: DEEPER DIVE INTO "ICEDID"/"BOKBOT" BANKING MALWARE: PART 1 LET'S LEARN: IN-DEPTH REVERSING OF RECENT GOZI ISFB BANKING MALWARE VERSION 2.16/2.17 (PORTION OF ISFB V3) & "LOADER.DLL/CLIENT.DLL" 1 LET'S LEARN: DISSECTING PANDA BANKER & MODULES: WEBINJECT, GRABBER & KEYLOGGER DLL MODULES 2 LET'S LEARN: DIVING INTO THE LATEST "RAMNIT" BANKER MALWARE VIA "SLOAD" POWERSHELL LET'S LEARN: IN-DEPTH REVERSING OF QAKBOT "QBOT" BANKER PART 1 LET'S LEARN: DECODING LATEST "TRICKBOT" LOADER STRING TEMPLATE & NEW TOR PLUGIN SERVER COMMUNICATION LET'S LEARN: IN-DEPTH DIVE INTO GOOTKIT BANKER VERSION 4 MALWARE ANALYSIS LET'S LEARN: IN-DEPTH REVERSING OF GRANDSOFT EXPLOIT KIT PLUGINDETECT VERSION "0.9.1" AND ITS VBSCRIPT MEMORY CORRUPTION CVE-2016-0189 EXPLOIT LET'S LEARN: TRICKBOT IMPLEMENTS NETWORK COLLECTOR MODULE LEVERAGING CMD, WMI & LDAP MALWARE TRAFFIC INTERNALS: BLACKTDS SOCIAL ENGINEERING DRIVE-BY LEADS TO FAKE "ADOBE FLASH PLAYER" MALWARE SPAM INTERNALS: DOCUSIGN SPAM LEADS DRIDEX BANKING MALWARE BOTNET ID “23005” MALWARE TRAFFIC INTERNALS: BLACKTDS LEADS TO GOOTKIT BANKING MALWARE DISTRIBUTION LET'S LEARN: INTERNALS OF IRANIAN-BASED THREAT GROUP "CHAFER" MALWARE: AUTOIT AND POWERSHELL PERSISTENCE LET'S LEARN: DEEPER DIVE INTO RAMNIT BANKER "VNC IFSB" REMOTE CONTROL MODULE LET'S LEARN: DISSECTING FORMBOOK INFOSTEALER MALWARE: CRYPTER & "RUNLIB.DLL" LET'S LEARN: DISSECT RIG EXPLOIT KIT ANTI-BOT FILTER GATE LET'S LEARN: DISSECT PANDA BANKING MALWARE'S "LIBINJECT" PROCESS INJECTION MODULE LET'S LEARN: CUTLET ATM MALWARE INTERNALS 1 LET'S LEARN: INTRODUCING NEW TRICKBOT LDAP "DOMAINGRABBER" MODULE LET'S LEARN: DEEP DIVE INTO MAGNIBER RANSOMWARE PEB TRAVERSAL FUNCTION UPDATE: LET'S LEARN: REVERSING FIN6 "GRATEFULPOS" AKA "FRAMEWORKPOS" POINT-OF-SALE MALWARE IN-DEPTH 7 LET'S LEARN: TRICKBOT SOCKS5 BACKCONNECT MODULE IN DETAIL LET'S LEARN: DISSECTING GOLROTED TROJAN'S PROCESS HOLLOWING TECHNIQUE & UAC BYPASS IN HKCU\ENVIRONMENT 5 LET'S LEARN: LETHIC SPAMBOT & SURVEY OF ANTI-ANALYSIS TECHNIQUES LET'S LEARN: REVERSING TRICKBOT BANKING TROJAN'S NEW "WORMSHARE" PERSISTENCE MODULE LET'S LEARN: TRICKBOT BANKING TROJAN ADDS CREDENTIAL STEALER TO INJECT MODULE & TARGETS WINDOWS 10 EDGE BROWSER LET'S LEARN: PREPARING SHELLCODE IN NASM CRIDEX/GEODO/EMOTET/DRIDEX NODE MAP VISUALIZER LET'S LEARN: IN-DEPTH REVERSING RIG EXPLOIT KIT'S VBSCRIPT MEMORY CORRUPTION (CVE-2016-0189) LET'S LEARN: HOW TO OBTAIN CERBER (CRBR) RANSOMWARE CONFIGURATION Apr 25 LET'S LEARN: TRICKBOT "BAZARBACKDOOR" PROCESS HOLLOWING INJECTION PRIMER Goal: Review the latest stealthy TrickBot group backdoor dubbed as "BazarBackdoor" as well as its process injection methodology approach. Source: Crypted Loader SHA-256: 1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83 64-bit Backdoor SHA-256: 5974d938bc3bbfc69f68c979a6dc9c412970fc527500735385c33377ab30373a Outline: I. BazarBackdoor: Background & Executive Summary II. BazarLoader: Process Hollowing Methodology III. BazarBackdoor: Overview IV. Yara Signature: BazarBackdoor Payload V. Mitre ATT&CK Framework: BazarBackdoor Payload VI. Network JA3 Signature: BazarLoader Malware I. BazarBackdoor: Background & Executive Summary BazarBackdoor is the new stealthy covert malware leveraged for high-value targets part of the TrickBot group toolkit arsenal. For more overall information, please read the BleepingComputer report from Lawrence Abrams related to this malware functionality and discovery. The malware was signed “VB CORPORATE PTY. LTD.” as DigiCert The TrickBot backdoor is a lightweight malware aimed to evade detection and be lightweight. It leverages a known TrickBot group crypter with the notable VirtualAllocExNuma API and RC4 decoder sequence. The TrickBot Anchor project and this backdoor both utilize the same Emercoin DNS for the server communication via /api/ request for the payload with architecture configuration (for example, /api/86 and /api/88). By and large, Emercoin DNS is a legitimate provider that leveraged for .bazar domain resolution. The goal of this fileless loader and backdoor is not to elevate privileges but to avoid any detection possible staying silently and only loading extra functionality as extra features. In case they get flagged as malicious, the bot would still remain in the system. The malware combination consists of two parts: loader and bot. The bot goal is to execute binaries, scripts, and modules, kill processes and remove itself from the compromised machine. II. BazarLoader: Process Hollowing Methodology The malware utilizes the process hollowing injection approach injecting the core backdoor into svchost.exe via the following sequence CreateProcessA(0, pDestCmdLine, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &startupInfo, &processInfo) -> Find PEB -> Locate Remote Image NtUnmapViewOfSection -> VirtualAllocEx -> VirtualAllocEx(processInfo.hProcess, peb.ImageBaseAddress, ...,MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) -> WriteProcessMemory () -> WriteProcessMemory (SourceImage.NumberOfSections) III. BazarLoader: Host Persistence The loader adds itself to \Software\Microsoft\Windows\CurrentVersion\Run and uses its process key for persistence. The malware decryption routine is as follows: const char *Encrypt_Decrypter() { ... BYTE key = key; for (int i = 0; i < len; i++) { ptr[i] = ptr[i + 1] ^ key; key++; } } IV. BazarBackdoor: Overview The backdoor goal is to execute binaries, scripts, and modules, kill processes and remove itself from the compromised machine. V. Yara Signature: BazarBackdoor Payload rule crime_win64_backdoor_bazarbackdoor1 { meta: description = "Detects BazarBackdoor injected 64-bit malware" author = "@VK_Intel" reference = "https://twitter.com/pancak3lullz/status/1252303608747565057" tlp = "white" date = "2020-04-24" strings: $str1 = "%id%" $str2 = "%d" $start = { 48 ?? ?? ?? ?? 57 48 83 ec 30 b9 01 00 00 00 e8 ?? ?? ?? ?? 84 c0 0f ?? ?? ?? ?? ?? 40 32 ff 40 ?? ?? ?? ?? e8 ?? ?? ?? ?? 8a d8 8b ?? ?? ?? ?? ?? 83 f9 01 0f ?? ?? ?? ?? ?? 85 c9 75 ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 85 c0 74 ?? b8 ff 00 00 00 e9 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? ?? ?? ?? eb ?? 40 b7 01 40 ?? ?? ?? ?? 8a cb e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 8b d8 48 ?? ?? ?? 74 ??} $server = {40 53 48 83 ec 20 48 8b d9 e8 ?? ?? ?? ?? 85 c0 75 ?? 0f ?? ?? ?? ?? ?? ?? 66 83 f8 50 74 ?? b9 bb 01 00 00 66 3b c1 74 ?? a8 01 74 ?? 48 8b cb e8 ?? ?? ?? ?? 84 c0 75 ?? 48 8b cb e8 ?? ?? ?? ?? b8 f6 ff ff ff eb ?? 33 c0 48 83 c4 20 5b c3} condition: ( uint16(0) == 0x5a4d and ( 3 of them ) ) or ( all of them ) } VI. Mitre ATT&CK Framework: BazarBackdoor Payload The mapped Mitre ATT&CK Framework is as follows: Mitre ATT&CK Framework: * T1093 - Process Hollowing * Signature - TransactedHollowing * T1055 - Process Injection * Signature - InjectionInterProcess VII. Network JA3 Signature: BazarLoader Malware (f5e62b5a2ed9467df09fae7a8a54dda6) The hostnames used for the command-and-control servers are: forgame.bazar bestgame.bazar thegame.bazar newgame.bazar portgame.bazar Posted 25th April 2020 by Vitali Kremez Labels: bazarbackdoor crimeware injection trickbot 0 ADD A COMMENT Loading