Trickbot Update: From Credential Theft to Business Disruption
May 14, 2019 | Endpoint | Vadim Sedletsky
Researchers recently discovered a new variant of the original Trickbot that turns the banking Trojan into a remote application credentials thief. Developed in 2016, the original TrickBot was one of the more recent banking Trojans, with many of its original features inspired by Dyreza (another banking Trojan), though Trickbot can also steal from Bitcoin wallets.
The original Trickbot’s main capabilities include harvesting emails and credentials using the Mimikatz tool. However, Trickbot’s authors show an extraordinary ability to constantly add new features and developments – and auto-update the infected machines with the new releases.
The newest variants of the malware should give the security-ops team something to watch out for. The previous Trickbot module included a password-grabbing module, but the latest variant takes application credentials theft a step further.
The new variant of Trickbot is somewhat similar to the previous version discovered in 2018. However, the updated version adds some new functionality – mainly in the remote desktop space. These new features include Virtual Network Computing (VNC), PuTTY and the a Remote Desktop Protocol (RDP) platform. There is no doubt that the TrickBot authors are agile and creative and this is what makes this specific banking Trojan so dangerous.
TrickBot is typically spread via malicious spam (malspam) campaigns—for instance, spear phishing emails disguised as unpaid invoices or requests to update account information. Other methods of propagation include embedded URLs and infected attachments, such as Microsoft Word documents, and Excel files regarding tax returns with macros enabled. TrickBot is also seen as a secondary infection dropped by Emotet. And, with the help of those stolen NSA exploits that keep proving their worth, once it has infected a single endpoint, TrickBot can then spread laterally through the network using the SMB vulnerability (MS17-010), which includes either the EternalBlue, EternalRomance or EternalChampion exploit.
VNC: To grab VNC credentials, the pwgrab module searches for files using the “*.vnc.lnk” affix, which is usually located in the following directories:
- %USERPROFILE%\Documents, %USERPROFILE%\Downloads
The stolen information includes the target machine’s hostname, port and proxy settings.
PuTTY: To retrieve the PuTTY credentials, Trickbot probes the registry key Software\SimonTatham\Putty\Sessions to identify the saved connection settings. This allows the module to retrieve information, such as the Hostname and Username, and Private Key Files used for authentication.
RDP: Trickbot’s third function uses the CredEnumerateA API to identify and steal stored credentials. It then parses the string “target=TERMSRV” to identify the hostname, username and password saved for each RDP credential.
It is most likely that the endpoint user will not notice any symptoms of a TrickBot infection. However, a network admin will see changes in traffic or attempts to reach out to blacklisted IPs and domains, since the malware will communicate with TrickBot’s command and control infrastructure to exfiltrate data and receive tasks.
TrickBot gains persistence by creating a Scheduled Task. Moreover, due to the way it uses the SMB vulnerability to spread through a company’s network, any infected machine on the network will re-infect cleaned machines when they rejoin the network.
Therefore, IT teams need to isolate, patch and remediate each infected machine one-by-one. This can be a long and painful process and costly in terms of time and resources. Much like with ransomware attacks, the best protection against a threat like TrickBot is to proactively prevent infection in the first place.
Understand Your Attacker
Most attacks today follow a similar pattern, understanding this pattern is key to protecting sensitive data and systems from theft and compromise. Regardless of where an attack originates –– skilled attackers will end up on the inside. (This applies beyond TrickBot)
Before they can steal any data, they have to learn the network, locate the data and gain the privileged access necessary to exfiltrate it.
Once inside the network, attackers first look for access to an internal account, preferably one with administrative privileges. They then leverage the compromised privileged account to escalate their privileges in order to gain access to more of the network and move through it more freely. With the necessary privileges, attackers next carry out reconnaissance on the network to determine how to best reach the target. With an attack plan in place, attackers move laterally to get into a better position and further escalate their privileges until they successfully reach the target system – or systems – and begin exfiltrating sensitive data.
The “Traditional” Way to Prevent Infection
As with anything else, there are standard methods for preventing infection by malware like Trickbot. These include:
- Use antivirus programs on clients and servers and automatically update signatures and software.
- Disable all macros, except those that are digitally signed.
- Apply appropriate patches and updates immediately after testing.
- Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
- If you do not have a policy regarding suspicious emails, create one and specify that all suspicious emails should be reported to the security or IT departments.
- Implement Domain-Based Message Authentication, Reporting and Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
- Mark external emails with a banner denoting that it comes from an external source. This will assist users in detecting spoofed emails.
- Provide social engineering and phishing training to employees. Urge them not to open suspicious emails, click on links contained in such emails, post sensitive information online and to never provide usernames, passwords or personal information to any unsolicited request.
- Teach users to hover over a link with their mouse to verify the destination prior to clicking on the link.
Still Got Infected? What’s Next?
Anti-virus software and intrusion detection systems alone can’t fully protect you from infection. This is what you need to do if it’s already too late and you’re infected:
- First, you need to spot the infected machine, which is not as easy as it sounds.
- Then, disconnect the infected machine from the network.
- Patch the machine for MS-17-10.
- Disable administrative shares. (The most recent Trickbot variants, after querying the share and getting a list of all connected machines, use C$ with Admin credentials to move around and re-infect all the other endpoints.)
- Find a tool, such as Malwarebytes, that can remove TrickBot.
- Change account credentials. Repeated re-infections are an indication that Trickbot was able to guess or brute force the administrator password successfully. Change all local and domain administrator passwords.
What a nightmare…
How to Protect Yourself the Right Way
Since anti-virus software can’t provide complete security, it’s important to have another layer of protection. The principle of least privilege together with credential theft modules can help by providing users with only the minimum level of access required to accomplish their tasks. Limit administrative credentials to designated administrators.
Solutions like the CyberArk Endpoint Privilege Manager can add another layer of protection by proactively preventing credential theft. Endpoint Privilege Manager can protect endpoint credential stores that reside in memory, registry or files and block malware from moving laterally to infect more and more of the system. While using this solution, even if malware bypasses the traditional security protections, critical resources remain protected.