# Trickbot Brief: Creds and Beacons **[thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/](https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/)** May 2, 2021 ----- ### Intro #### “TrickBot malware—first identified in 2016—is a Trojan developed and operated by a sophisticated group of cybercrime actors. The cybercrime group initially designed TrickBot as a banking trojan to steal financial data. Through continued development and new functionality, TrickBot has become a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. Since TrickBot’s inception, the cybercrime group has used the malware to attack individuals and businesses globally across a wide range of sectors.” Source – Fact Sheet: TrickBot Malware Source In an intrusion this past month, threat actors were seen enumerating and collecting information related to the domain as well as dumping passwords before leaving the network. Multiple Cobalt Strike Beacons were deployed and remained connected despite the lack of activity from the threat actors. ### Case Summary #### We assess, with moderate confidence, the Trickbot DLL that we executed was originally delivered via a malicious Office document. The threat actors were observed leveraging Trickbot and Cobalt Strike for C2 communication. They began their discovery by running net and nltest commands as well as PowerView domain discovery modules. Minutes later, Lazagne (“retrieve lots of passwords”) was executed using the “all” switch. A registry value was set to enable storing logon credentials in plaintext in memory (WDigest), likely to facilitate future activity as the host was not restarted for this change to take effect. Before the threat actors departed the network, they successfully accessed the LSASS process and retrieved credentials from memory. No lateral movement or execution on mission was observed. ### Timeline ----- #### Analysis and reporting completed by @kostastsale, @ICSNick, and @RoxpinTeddy. Reviewed by @TheDFIRReport ### MITRE ATT&CK ----- ### Initial Access #### We assess with moderate confidence that this DLL was dropped by a malicious Office document. ### Execution #### Trickbot (click.php.dll) was manually executed on a single endpoint. Source: https://tria.ge/210412-wmdnkzp5la Trickbot, from its injected wermgr process, spawned a command process to then run a PowerShell Cobalt Strike Beacon. Reviewing the above PowerShell code, we can extract the shellcode to discover the IP and User-agent string, the beacon will communicate with. ----- #### Getting the IP and port using scdbg. The threat actor also executed a second Cobalt Strike Beacon (wsuC3C.tmp) using the injected wermgr.exe process. ``` rundll32.exe C:\Users\redacted\AppData\Local\Temp\wsuC3C.tmp,ControlUnitSpeed ### Persistence #### A scheduled task was created to keep the Trickbot malware persistent on the system. ``` ----- ``` C:\Windows\system32\rundll32.exe" "C:\Users\redacted\AppData\Roaming\DownloadMngNet5353711913\xxclickdr.dwn",#1 ### Defense Evasion #### Trickbot injected into wermgr.exe processes and used this for communication to command and control infrastructure. ``` ----- ### Credential Access #### Lazagne was used with the “all” switch, which runs all modules. Below we can see registry hives being saved to disk. LSASS was accessed by rundll32, but we did not see anything written to disk. Trickbot was used to enable the storage of clear text credentials (WDigest) by setting UseLogonCredential to 1. ----- ``` Key - SYSTEM\ControlSet001\Control\SecurityProviders\WDigest Value name - UseLogonCredential Set value data - 1 ### Discovery #### The following net commands were used by the threat actor from the injected Trickbot process. net config workstation net view /all net view /all /domain net group “Domain Computers” /domain The following nltest commands were used by the threat actor from the injected Trickbot process. nltest /domain_trusts nltest /domain_trusts /all_trusts PowerView modules were also used by the threat actor executed from the Cobalt Strike beacons. Get-DomainSearcher Get-NetComputer Get-NetDomain The local network was scanned for port 445/SMB. ``` ----- #### ipconfig was used to show all IP info. ``` ipconfig /all ### Command and Control #### Trickbot gtag: rob52 Cobalt Strike C2 #1 ``` ----- #### 147.135.78[.]200:80 (Our Threat Feed service has known about this Cobalt Strike server since at least 4-4-2021) CS Config: ``` "x64": { "md5": "d963ff232b5b519014cbca17e7e9d512", "sha256": "0f0cf5e9b35012fc51306179ba4c8cfdaa4f60bf293d8140a77a74db548182e5", "sha1": "77430b1da03bf6fee12d12abd810666a7751e3c0", "config": { "HTTP Method Path 2": "/submit.php", "Method 2": "POST", "C2 Server": "147.135.78.200,/cx", "Method 1": "GET", "Polling": 60000, "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "Beacon Type": "0 (HTTP)", "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Jitter": 0, "Port": 80 "x86": { "md5": "ec2fc2b33d60ddc829c9aeabb6ce0bbe", "sha256": "93008b078e8358c948877c7fde261231fc72bcd45143132070761550046701f2", "sha1": "91ea27632c363b821d8f84b8320b1d76f1d91899", "config": { "HTTP Method Path 2": "/submit.php", "Method 2": "POST", "C2 Server": "147.135.78.200,/push", "Method 1": "GET", "Polling": 60000, "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", "Beacon Type": "0 (HTTP)", "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", "Jitter": 0, "Port": 80 Cobalt Strike C2 #2 23.108.57[.]39:443 (Our Threat Feed service has known about this Cobalt Strike server since at least 4-12-2021) wideri[.]com JA3s:ae4edc6faf64d08308082ad26be60767 JA3:a0e9f5d64349fb13191bc781f81f42e1 Certificate:[10:cd:12:74:dc:9d:3d:15:b5:e9:f1:f1:22:e1:ff:65:77:a3:c9:93] Not Before: 2021/04/04 00:00:00 Not After: 2022/04/04 23:59:59 Issuer Org: Sectigo Limited Subject Common: wideri.com Public Algorithm:rsaEncryption JARM:07d14d16d21d21d07c42d41d00041d58c7162162b6a603d3d90a2b76865b53 ``` ----- #### CS Config: ``` "x64": { "time": 1618262029857.8, "config": { "Jitter": 46, "Spawn To x86": "%windir%\\syswow64\\wusa.exe", "Beacon Type": "8 (HTTPS)", "Method 1": "GET", "Method 2": "POST", "C2 Server": "wideri.com,/tab_shop.css", "Spawn To x64": "%windir%\\sysnative\\wusa.exe", "Port": 443, "Polling": 5000, "HTTP Method Path 2": "/language" }, "md5": "249f38615a76d47892fc530102a8a178", "sha256": "91d6230999853424f158fd58bd343c781fd687c71173ee39ed98429181d3cdb4", "sha1": "9b1f5d93af2344529b37055af8e3db0d3867c5bc" "x86": { "time": 1618262025634.5, "config": { "Jitter": 46, "Spawn To x86": "%windir%\\syswow64\\wusa.exe", "Beacon Type": "8 (HTTPS)", "Method 1": "GET", "Method 2": "POST", "C2 Server": "wideri.com,/language.css", "Spawn To x64": "%windir%\\sysnative\\wusa.exe", "Port": 443, "Polling": 5000, "HTTP Method Path 2": "/sq" }, "md5": "46a3380418ce59563c3adfa8f6624d3f", "sha256": "8cf43734e0d187aaad93e950646a883820b20ca2837480c1140e1751cf6557b2", "sha1": "44e19c7f2534226e6774591713fbd659931d2e10" ### Impact #### Aside from the initial compromise on the beachhead host and the stolen credentials, no further impact was observed during this intrusion. No lateral movement or execution on mission was observed. ### IOCs Network #### Cobalt Strike: ``` ----- ``` 147.135.78.200|80 23.108.57.39|443 wideri[.]com http://172.82.179.170/w.dll #### Trickbot: 102.68.17.97|443 103.76.150.14|443 103.9.188.23|449 109.185.139.90|449 138.185.72.142|443 148.216.32.55|443 173.81.4.147|443 182.253.184.130|449 185.205.250.162|443 190.122.168.219|443 196.41.57.46|449 200.90.11.177|449 202.166.211.197|443 31.134.124.90|443 31.211.85.110|443 41.77.134.250|443 5.59.205.32|443 62.213.14.166|443 77.95.93.132|449 78.138.187.231|443 81.95.45.234|449 84.21.206.164|449 85.112.74.178|449 87.116.151.237|449 87.76.1.81|449 89.250.208.42|449 91.185.236.170|449 91.225.231.120|443 96.9.77.142|443 ### File ``` ----- ``` click.php.dll 8c0d352934271350cfe6c00b7587e8dc8d062817 0ae86e5abbc09e96f8c1155556ca6598c22aebd73acbba8d59f2ce702d3115f8 xxclickdr.dwn 8c0d352934271350cfe6c00b7587e8dc8d062817 0ae86e5abbc09e96f8c1155556ca6598c22aebd73acbba8d59f2ce702d3115f8 wsuC3C.tmp b7d9f3e387021bba138dbe3d153fef4e7e2196ad 97dedd5ca85a13ab1a8910416b13ffd088b1c7e3486d6629a71f5c118d56fbea lazagne.exe 75f4115024b5d0818f0696345eef98d92db92118 61deb3a206cc203252418b431f6556e3f7efd9556fc685eeda7281d9baf89851 ## Detections ### Network ET CNC Feodo Tracker Reported CnC Server group 11 ET MALWARE Trickbot Checkin Response ET INFO SUSPICIOUS Dotted Quad Host MZ Response Sigma #### https://github.com/SigmaHQ/sigma/blob/084cd39505861188d9d8f2d5c0f2835e4f750a3f/rule s/windows/process_creation/win_malware_trickbot_recon_activity.yml https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rul es/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_p owershell_enc_cmd.yml ### Yara ``` ----- ``` / YARA Rule Set Author: The DFIR Report Date: 2021-04-27 Identifier: Case 3521 Trickbot Reference: https://thedfirreport.com */ /* Rule Set ----------------------------------------------------------------- */ import "pe" rule click_php { meta: description = "files - file click.php.dll" author = "The DFIR Report" reference = "https://thedfirreport.com" date = "2021-04-27" hash1 = "0ae86e5abbc09e96f8c1155556ca6598c22aebd73acbba8d59f2ce702d3115f8" strings: $s1 = "f_+ (Q" fullword wide $s2 = "'/l~;2m" fullword wide $s3 = "y'L])[" fullword wide $s4 = "1!1I1m1s1" fullword ascii $s5 = "&+B\"wm" fullword wide $s6 = ">jWR=C" fullword wide $s7 = "W!\\R.S" fullword wide $s8 = "r-`4?b6" fullword wide $s9 = "]Iip!x" fullword wide $s10 = "!k{l`<" fullword wide $s11 = "D~C:RA" fullword wide $s12 = "]{T~as" fullword wide $s13 = "7%8+8^8" fullword ascii $s14 = "f]-hKa" fullword wide $s15 = "StartW" fullword ascii /* Goodware String - occured 5 times */ condition: uint16(0) == 0x5a4d and filesize < 1000KB and ( pe.imphash() == "8948fb754b7c37bc4119606e044f204c" and pe.exports("StartW") or 10 of them ) } ## MITRE #### User Execution – T1204 Command and Scripting Interpreter – T1059 PowerShell – T1059.001 Windows Command Shell – T1059.003 Domain Trust Discovery – T1482 Network Service Scanning – T1046 Remote System Discovery – T1018 System Network Configuration Discovery – T1016 System Information Discovery – T1082 ``` ----- #### Process Injection – T1055 Credentials from Web Browsers – T1555.003 OS Credential Dumping – T1003 LSASS Memory – T1003.001 Exfiltration Over C2 Channel – T1041 Non-Standard Port – T1571 Internal case #3521 -----