TrickBot: We Missed you, Dyre

Saturday, October 15, 2016

In November 2015, the Dyre banking trojan seemingly disappeared overnight surprising security researchers worldwide.  Months later it was announced that Russian authorities had arrested most of the gang responsible for its operations.  Prior to that, it was a relatively rare act for Russian authorities to take action in such matters.  Since then, nothing has been heard from those actors but the speculation was that some of programmers and other elements of the criminal operation would be subsumed into other cybercriminal operations.

In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.

This would suggest, but is far from conclusive, that some individuals related to the development of Dyre have found their way into resuming criminal operations.

The campaign we have observed involving TrickBot includes webinjects that target banks in Australia. A full list of hashes, IOCs and targets is available at the end of this blog post.

With regards to TrickBot, while the version of the bot has been reset and quite a lot of code has been removed we don’t believe this is an old version but is instead a rewrite, since the coding style is not conclusively that of old Dyre. While the bot performs very similar functions and activities, the code style is quite a bit different than the older Dyre code in a few respects

  • Instead of running commands directly the bot interfaces with TaskScheduler through COM for persistence
  • Instead of running an onboard SHA256 hashing routine or AES routine the bot utilizes Microsoft CryptoAPI
  • There is considerably more code in the C++ programming language versus the original Dyre that used C for the most part.

Based on these observations, it is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot. With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot.

This blog post details our technical analysis of TrickBot.

Crypter

The first thing we noticed is the custom crypter which after careful analysis was found to be used for both TrickLoader along with Vawtrak, Pushdo and Cutwail malware. This is interesting because Cutwail spambot was a favorite of old Dyre crew for use in their spam campaigns.

Loader

Next we take a look at the loader which from first glance appears to be similarly constructed as Dyre's loader, including a x86 and x64 bot version and another section named x64 loader(Figure 1).

Image1

 

 

 

 

 

 

 

Figure 1 TrickLoader resources

The loader simply checks if it is running on a 32 or 64bit system before decoding the appropriate resource section(s). The bit check is performed using GetNativeSystemInfo (Figure 2). The decoding routine is a LCG(Linear Congruential Generator) based routine using a hardcoded seed of 12345 (Figure 3).

Image2

Figure 2 TrickLoader Bit Check

Image3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 3 TrickLoader resource decode

Image4

 

 

 

 

 

 

Figure 4 TrickBot resource sections

 

The Bot

The bot shows a number of similarities to Dyre but appears to have been rewritten. This assumption is made based on old Dyre code, which would primarily use built-in functions for doing things such as AES and SHA256 hashing. In the recent samples identifying themselves as TrickBot, the code appears to be based on that old code but rewritten to use things such as Microsoft CryptoAPI and COM.

Similar to old Dyre the bot comes with an onboard config in its resource section along with an ECC cert (Figure 4). The bot also uses a very similar but slightly modified version of the old Dyre C2 decryption, this routine is then used for encrypting/decrypting all data respectively. The algorithm used by Dyre for generating the AES and IV from the first 48 bytes of data based on a rehashing scheme was commonly referred to as Dyre's derive_key function, this function was slightly changed in the new bot.

Image5Figure 5 TrickBot Derive Key

Image6

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 6 TrickBot Decrypt

For starters, both the AES key and IV are derived using 128 rounds of SHA256, the key is derived from the first 32 bytes of data and the IV from bytes 16 through 48(Figure 5). Another slight modification is the hash data instead of being continually rehashed, the data is now appended to each subsequent hash and that data is then hashed to get the next hash, ultimately ending after 128 iterations with the key based on the hash of all the accumulated data. Knowing this is enough to modify the old Dyre decrypt and derive key functions to work for TrickBot(Figure 6). This routine is used to decode the onboard config(Figure 5), the C2 traffic and the modules.

 

Image7

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 7 Onboard Bot Config

Image8

 

 

 

 

 

 

 

Figure 8 Onboard Module Config

Modules 

The first bots pushed for testing of TrickBot came with a single module called GetSystemInfo. This module comes in both 32bit and 64bit version and includes an interesting pdb path(C:\Users\The trick\YandexDisk\Projects\Bot\Bot_(1006)_08.12.2016\Bot\GetSystemInfo_solution\x86\Release\GetSystemInfo.pdb). As the name suggests the module appears to be entirely geared towards harvesting system information, probably to give the developers a better understanding of their test bots. The modules also come with their own embedded moduleconfig(Figure 6) and are stored on disk in a ‘/modules/’ folder at the same location that the bot runs out of. Also, as was the case with Dyre the modules are downloaded from the mod server which has been renamed in the initial config for TrickBot to plugin server or psrv. 

On October 13, 2016 a new bot was found that contained the injectDll which is the browser inject module for TrickBot, the webinject config filenames are stored in the moduleconfig of the injectDll module as sinj, dinj and dpost. It would appear as though the injects are still being tested and possibly added as they convert them over to the new structure. This setup does fall in line with how Dyre had its config separated out though. 

While the bot is still missing quite a lot from what was previously seen in Dyre it is obvious that there is correlation between the code used in this bot and that from Dyre. As the bot appears in development they are pushing to rebuild their Cutwail botnet in preparation for future spam runs. It’ll be interesting to see if TrickBot can reach or pass its predecessor.

References:

Indicators:

TrickLoader Hashes:
a4dfd173610d318acb4784645cf5e712d552b51d0c8cf10b2c4414d0486af27d
f26649fc31ede7594b18f8cd7cdbbc15
aef4293a36fd3538ff1986a27fec8d7461ec9ced76fb035ae85f53e178109570
80833a25e57130a8e0be9bb5debde7ae
721cc1bbe4a6ebd1a417a064f95743568e8992028340c070dd5f159fe79f8ddf
6250e7bff472fd184819b976a5953b8d
4c5bdb9dcf1348e3263e03d1f0da8db7a37c9f9deddd845a02e49481c01ccd74
d94d858859408f8ab82e2b9a42d00700
198efe2f386515ba82e72d09081f0336114b128ee1d617484f0577388b62c219
ad62ee05f8691706be1f4b5a672731ac
65084d73b23728c2f3f3401769cc1f905ec26506b63886dd530a5a554156e90d
ab4d591d294673ce7ea1c1517dc0a54f
9f8e1cdd9542f31833318d966109a29f9798e051a7f8887f140a37ca909442d4
d28be15020d54647023a75ba5f2845af
6eccaf6e907693976b4f99a3c44b7066a4df9cce4d1775f686dbb62bae29f8be
e4a8dc8fd08d4f65a68d0a40e2190c70
cb5ec9a3e30a50f8eecc65c88948446a7f0c1a7cb633483596738f15c2f399c3
0804499dba4090c439e580f5693660e0
919660bd3ff450996744dbacf1730762e5ab998223883030f157f5a84902c56d
bf621ef7e98047fea8c221e17c1837b8
edcfa1ebba218fef31113b6ce16724ec4d8836439e26899ec11cddee848436bd
38503c00be6b7f7eeb5076c0bd071b4c
 
 
Pushdo with same crypter:
a2424ac280ba8c9344ed37e254394cd21014e0c027b4f1932421717b8255dbf2
829708246ef66e4fc16fdc5f184dea2e
158e1a57aaec3bba92e16995a00a1627c5194a90d980a1caf0f5b8c38c4d15b9
f12fb808815a36f768028238101e5916
 
Trickbot C2s:
188.138.1.53:8082
27.208.131.97:443
37.109.52.75:443
91.219.28.77:443
193.9.28.24:443
37.1.209.51:443
138.201.44.28:443
188.116.23.98:443
104.250.138.194:443
46.22.211.34:443             
68.179.234.69:443
5.12.28.0:443
36.37.176.6:443

91.219.28.103/response.php

Config Targets:

cibconline.cibc.com

anz.com

banking.westpac.com.au

ib.nab.com.au

ibanking.stgeorge.com.au

/onlineserv/CM

 

-- Fidelis Threat Researcher Jason Reaves