A forum for reverse engineering, OS internals and malware analysis 

TrickBot

Forum for analysis and discussion about malware.

TrickBot

 #29466  by tildedennis
 Thu Oct 20, 2016 6:58 pm
* https://twitter.com/hasherezade/status/ ... 1998101505
* http://www.threatgeek.com/2016/10/trick ... ction.html

Sample (attached): https://virustotal.com/en/file/2c4eab03 ... /analysis/

Each of the <srv>s are queried for a <servconf>:
Code: Select all
<servconf>
<expir>1480550400</expir>
<plugins>
<psrv>80.79.114.179:443</psrv>
</plugins>
Modules are downloaded from <psrv>s. 2 modules attached: systeminfo and injectDll. At the end of each module is a <moduleconfig>, something like this for injectDll:
Code: Select all
<moduleconfig>
<autostart>yes</autostart>
<needinfo name="id"/>
<needinfo name="ip"/>
<autoconf>
<conf ctl="dinj" file="dinj" period="90"/>
<conf ctl="sinj" file="sinj" period="90"/>
<conf ctl="dpost" file="dpost" period="180"/>
</autoconf>
</moduleconfig>
The <conf> files are downloaded from <srvs> again. dinj targets .au banks and looks like:
Code: Select all
<igroup>
<dinj>
<lm>*/onlineserv/CM*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
<igroup>
<dinj>
<lm>*ibanking.stgeorge.com.au/ibank/loginPage.action*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
<igroup>
<dinj>
<lm>*ib.nab.com.au/nabib/index.jsp*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
<igroup>
<dinj>
<lm>*banking.westpac.com.au/wbc/banking/handler*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
<igroup>
<dinj>
<lm>*anz.com/IBAU/BANKAWAYTRAN*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
<dinj>
<lm>*anz.com/INETBANK/login.asp*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
<igroup>
<dinj>
<lm>*cibconline.cibc.com/olbtxn/authentication/*.cibc*</lm>
<hl>91.219.28.103/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
dpost like:
Code: Select all
<dpost>
<handler>http://188.138.1.53:8082</handler>
</dpost>
And sinj is empty.
Attachments
(359.13 KiB) Downloaded 110 times

Re: TrickBot

 #29469  by entdark
 Fri Oct 21, 2016 6:18 am
all samples for the time being are using pretty much the same config, the only thing changing is the ver and gtag
this one ver is 00003 whilst the first ones were 000002 and gtag was tmt2
Code: Select all
<ver>1000003</ver>
<gtag>tt00002</gtag>
<servs>
<srv>91.219.28.77:443</srv>
<srv>193.9.28.24:443</srv>
<srv>37.1.209.51:443</srv>
<srv>138.201.44.28:443</srv>
<srv>188.116.23.98:443</srv>
<srv>104.250.138.194:443</srv>
<srv>46.22.211.34:443</srv>
<srv>68.179.234.69:443</srv>
<srv>5.12.28.0:443</srv>
<srv>36.37.176.6:443</srv>
<srv>37.109.52.75:443</srv>
<srv>84.232.251.0:443</srv>

Re: TrickBot

 #31458  by sysopfb
 Tue Apr 17, 2018 11:48 pm
Apparently the loader being used by TrickBot which I was calling TrickLoader added UACME #41 back in December atleast according to this post by F5 labs https://labsblog.f-secure.com/2017/12/1 ... christmas/ - thanks Antelox for your google-fu on finding this!


Kind of interesting since that was right around the time IcedId added #41 as well which was documented on these forums.

I was running through the loader which has added a lot of obfuscation including string obfuscation and function XOR encoding/decoding routines as it needs each function.

I outlined my research notes here: https://sysopfb.github.io/malware/2018/ ... uacme.html

Doc and TrickBot sample attached
Attachments
pw: infected
(201.81 KiB) Downloaded 28 times
 Return to “Malware”