# TRICKBOT PROJECT “ANCHOR:” WINDOW INTO SOPHISTICATED OPERATION How the Trickbot Group United High-Tech Crimeware & APT Authors: Vitali Kremez, Joshua Platt and Jason Reaves December 2019 SentinelLABS Research Team # TRICKBOT PROJECT “ANCHOR:” ----- ## TABLE OF CONTENTS ##### 3 EXECUTIVE SUMMARY 4 BACKGROUND 5 COMPONENT: ANCHOR INSTALLER 8 COMPONENT: DEINSTALLER 9 COMPONENT: ANCHORBOT 12 COMPONENT: BIN2HEX 13 COMPONENT: PSEXECUTOR 14 ANCHOR PROJECT PAYLOADS 17 SIGNED TERRALOADER 18 POWERSHELL TO METASPLOIT 20 POWERRATANKBA, THE APT NEXUS 21 MEMSCRAPER, THE FIN NEXUS 30 MITIGATION & RECOMMENDATIONS 31 INDICATORS OF COMPROMISE 31 REFERENCES 32 ABOUT SENTINELLABS ----- ## EXECUTIVE SUMMARY - TrickBot was developed in 2016 as a banking malware, however, since then it has developed into something essentially different — a flexible, universal, module-based crimeware solution. - A group associated with TrickBot is actively repurposing and refactoring TrickBot into a fully functional attack framework leveraging the project called “Anchor.” - The Anchor project combines a collection of tools - from the initial installation tool to the cleanup meant to scrub the existence of malware on the victim machine. In other words, Anchor presents as an all-in-one attack framework designed to attack enterprise environments using both custom and existing toolage. - The Anchor project is a complex and concealed tool for targeted data extraction from secure environments and long-term persistency. - Our research revealed command-and-control tasking for a compromised machine to download a specific tool linked to the Lazarus PowerRatankba - It is leveraged to actively attack medium-sized retail businesses amongst other corporate entities using point-of-sale (POS) systems. ##### S e n t i n e l L a b s Te a m ----- #### BACKGROUND TrickBot was developed in 2016 as a banking malware, however, since then it has developed into something essentially different — a flexible, universal, module-based crimeware solution. TrickBot was initially the banking successor of Dyre or Dyreza [1,2]. TrickBot has shifted focus to enterprise environments over the years to incorporate many features from network profiling, mass data collection, and incorporation of lateral traversal exploits. With this focus shift comes massive amounts of infection data; therefore, it makes sense to best utilize this data. You would naturally have some infections they care about which are handed off to other teams to perform other operations such as ransomware, data theft and in the case of the Anchor group, leveraged POS attacks. Recently a security company NTT [9] released an article reporting on a variant of TrickBot using DNS. This variant is referred to as the ‘Anchor’ variant, and this post aims to delve into the history and conduct a deeper dive into this variant. Anchor can be best summarized as a framework of pieces; these pieces allow the actors to leverage this framework against their higher profile victims. Some of these may look familiar to the TrickBot spreader package ‘tabDLL’ analysis before [3,4,5] as the project appears to be the same. Therefore, it appears as if the same developer is involved in both TrickBot and Anchor development to some extent. For the purposes of this report, we will go over the toolkits and components we believe to be directly associated with Anchor and its later payload deliveries: - anchorInstaller - anchorDeInstaller - AnchorBot - Bin2hex - psExecutor - memoryScraper ----- Some of the pieces we have found for this framework can be seen below in the form of PDB paths. - `D:\MyProjects\secondWork\Anchor\x64\Release\bin2hex.pdb` - `D:\MyProjects\mailCollection\x64\Release\mailCollector.pdb` - `D:\MyProjects\spreader\Release\ssExecutor_x86.pdb` - `D:\MyProjects\spreader\Release\screenLocker_x64.pdb` - `D:\MyProjects\secondWork\Anchor\Win32\Release\anchorDeInstaller_` ``` x86.pdb ``` - `D:\MyProjects\memoryScraper\Win32\Release\memoryScraper\` ``` memoryScraper$.pdb ``` - `D:\MyProjects\secondWork\Anchor\Win32\Release\anchorInstaller_` ``` x86.pdb ``` - `D:\MyProjects\spreader.v2\ssWriter\Release\ssWriter.pdb` - D:\MyProjects\secondWork\psExecutor\Release\psExecutor_x86.pdb - `D:\MyProjects\mailCollection\Release\sqlFinder.pdb` - `D:\MyProjects\mailCollection\x64\Release\mailFinder_x64.pdb` - `D:\MyProjects\secondWork\Anchor\x64\Release\testAnchor.pdb` - `d:\MyProjects\spreader.v2\REXE\tin_x86.pdb` #### COMPONENT: ANCHOR INSTALLER The first sample of Anchor installer available on VirusTotal was uploaded on July 2018. Figure 1: In-The-Wild download location ----- installer component, and that is basically how they are setup. They have both a 32-bit and a 64-bit versions on board. Figure 3: Installer can write 64-bit or 32 bit bot. Figure 2: PDB and strings This is the Anchor loader, but it appears to have been built as a test version. These loaders are the ----- They write the file to disk using ‘net’ as a prefix with random characters behind it. Figure 4: Installer generates a random name with net prefix. Then add it in as a service to be executed using a hardcoded service name of ‘netTcpSvc’. Figure 5: Installer hardcoded service name ----- After installing the file, the installer component deletes itself. Figure 6: Installer deletes itself ### COMPONENT: DEINSTALLER Along with an AnchorInstaller, there is also a DeInstaller which is designed to delete the artifacts of the infection and perform a cleanup. The reason this is illuiminating will stand out once we go over the payloads that have been seen delivered to Anchor infections. ----- ### COMPONENT: ANCHORBOT The bot code looks partuclarly similar to what you would expect to see with an early version of TrickBot or Dyre. Figure 7: Noticeable bot strings The checkin and botid generation are similar, but the version used is hardcoded as “1001”. Figure 8: Bot URI generation ----- Figure 09: Bot generating botId ----- A noticeable difference is its use of C2 domains with OpenNIC resolvers. Figure 10: Hardcoded C2 domain loaded Figure 11: C2 domain resolved using OpenNIC resolvers ----- code, ASM code, hexlified text, BMP insertion. Figure 12: Bin2hex parameters help message Figure 13: Bin2hex C code output example #### COMPONENT: BIN2HEX This program is a command line utility for manipulating a binary file into various forms including C code, ASM code, hexlified text, BMP insertion. ----- #### COMPONENT: PSEXECUTOR A binary designed to detonate a command, judging by the name and some of the recovered examples, this is predominantly designed to detonate PowerShell commands. Figure 14 : PsExecutor cmd.exe overview Figure 15: PsExecutor powershell command This is an executable that would allow the actor to execute any PowerShell command you would want on the system. PowerShell is something these actors tend to favor as well, using all sorts of custom loaders and available frameworks for further profiling systems including Meterpreter, CobaltStrike and PowerShell Empire. ----- #### ANCHOR PROJECT PAYLOADS The payloads pushed down to the bots are frequently Meterpreter, PowerShell Empire and CobaltStrike. These payloads are delivered using a mix of custom utilities like loaders with existing tools and scripts, which appears to be an effective strategy for these actors. Meterpreter Loader: The crypter layer on this loader had a notable string calling itself “RuntimeCrypter”. Figure 16: RuntimeCrypter string The main block of code inside also utilized some function calls not normally seen. Figure 17: Start of main code block ----- Ultimately, this crypter layer is designed to XOR-decode the next layer, load it into memory and then detonate it. Figure 18: XOR-decoding shellcode ----- The next layer turns out to be 64-bit Metasploit code for downloading Meterpreter. Figure 19: Receiving payload in Metasploit shellcode Figure 20: Metasploit loader shellcode RC4 decrypting payload ----- Here, we saw it being used to deliver another Metasploit stager in ApacheBench tool. The Terraloader component has the normal string encoding you would see where it bruteforces the key out using known data. It is also a newer version that uses RC4 versus AES to decode the file to be delivered. Figure 21: Loader string decryption After decrypting the file we are left with an ApacheBench executable that’s been hollowed out with Metasploit loader shellcode, which in turn performs the same flow as the previously discussed one of TCP connection -> XOR-encoded length and RC4 encrypted payload to be detonated. #### SIGNED TERRALOADER Terraloader is frequently seen utilized by CobaltGroup but has also been sold to other actor groups. Here, we saw it being used to deliver another Metasploit stager in ApacheBench tool. ----- The script turns out to be a simple download and execute PowerShell script: The executed DLL allocates a chunk of memory and copies over some #### POWERSHELL TO METASPLOIT Command to bot: data into it: ----- That data is then passed to a function along with some hardcoded strings: Figure 23: Call to function to decrypt data This function turns out to be AES, and the previously mentioned strings are the AES key and initialization vector. Figure 24: AES snippet After being decoded, the chunk of data is once again a Metasploit shellcode loader chain with RC4 decryption of the download from the C2. ----- #### POWERRATANKBA, THE APT NEXUS PowerRatankba? What does a tool linked to Lazarus have any business doing in a report on TrickBot? A good question that can not be answered without all the previously mentioned material in this report. First off, what has been covered thus far? “Anchor” has a bunch of functionality split across various pieces in the form of a framework; this framework seems to be primarily focused as an all-in-one attack framework designed to attack enterprise environments using both custom and existing toolage; this framework also includes components that are designed for uninstalling itself and removing forensic evidence that could indicate it had been on the system. These are major revelations because the last part in certain environments could confuse incident response teams when it comes time to explain attribution. Below is a recovered command-and-control tasking for a compromised machine to download a specific file issued to an infected machine we identified based on our external Anchor group tracking: This domain is extremely particular because it was linked to the Chilean Redbanc Intrusion, which was attributed to Lazarus [7]. Figure 25: GitHub data related to Lazarus attack So suddenly we are left with a number of questions: is Lazarus using TrickBot infections or is this simply a case of mistaken identity? Hopefully, this report will raise enough questions to get those answers some day. ----- #### MEMSCRAPER, THE FIN NEXUS The Memscraper payload is this group’s POS focused payload. It shares some similarities with Anchor bot in that they both can use OpenNIC resolvers with EmerDNS domains; they both have an ‘installer’ component, and also share the code used to generate the random filenames for writing to disk is the same. Figure 26: Memscraper C2 domain on EmerDNS Figure 27: Memscraper and Anchor installer drop name generation comparison ----- This POS malware is exactly what it sounds like as it is designed to scrape memory of processes looking for credit card data which will then be exfiltrated back to the C2 panel. It comes with an onboard whitelist of substrings that it will utilize when enumerating the process tree for the following processes: - teller - shop - store - retail - macros - pos - processing - proc - kiosk - opss - directorr - info - reception - kassa - opos - chef - verifon - infor Figure 28: Memscraper process tree enumeration ----- As you can see in the above screenshot, a check has also been placed to blacklist Skype. After finding a good process, the memory will then be read using VirtualQueryEx and ReadProcessMemory before being enumerated for possible track data. Figure 29: Memscraper hunting for possible card data in memory After finding potential card data, the memory will be passed off to a function that will perform luhn checking to verify the card number before being POSTed up to the C2. Figure 30: Memscraper magnetic cards ----- Figure 31: Memscraper building URL For HTTP based exfiltration, the data post matches exactly what you would see with a normal TrickBot module exfiltration of data, but the “source” is called “magnetic cards” in the POST. We can do a quick comparison with a picture from another researcher’s PCAP [6], which shows “os passwords” being POSTed up to a TrickBot C2. Figure 32: TrickBot module data post ----- For Memscraper data, you would have the card track data in the “data” section and in “source” would be “magnetic cards” with “User-Agent: WinHTTP sender/1.0” --1b36dac2-17f9-440a-80f4-e2049e83484b Content-Disposition: form-data; name="data" --1b36dac2-17f9-440a-80f4-e2049e83484b Content-Disposition: form-data; name="source" magnetic cards --1b36dac2-17f9-440a-80f4-e2049e83484b- HTTP exfiltration, however, is not the only trick in Memscrapers book. Similar to the previously mentioned blog on Anchor having a DNS variant, it turns out Memscraper also has a DNS variant. The process enumeration and threads are all the same for the DNS variant with the obvious biggest difference being the DNS based exfiltration of data. The thread responsible for scraping memory builds the data into a report structure. Figure 33: Memscraper DNS report structure ----- Before then retrieving a hardcoded filename to store the data in. Figure 34: Memscraper DNS variant hardcoded filename ----- The data will be XOR-encoded using an onboard table before being written to the file. Figure 35: Memscraper DNS variant writing data to file This file is monitored by another thread in the process that will read in the data, XOR-decode it, and then process it to be shipped off. The domain that will be used is hardcoded: Figure 36: Memscraper DNS variant hardcoded domain name Then the subdomain is built using some hardcod characters, random bytes, a built-in UUID and the previous report data XOR-encoded with 0xAA. ----- Figure 37: Memscraper DNS building domain for exfiltration ----- Periods are added, and it confirms to proper specifications for the labels. Figure 38: Memscraper DNS variant creating proper length labels Then the request is made and the data is exfiltrated. Figure 39: Memscraper DNS variant sending off DNS request ----- #### MITIGATION & RECOMMENDATIONS Anchor: Service netTcpSvc Yara Signature: ``` rule crime_win32_memscraper_1 { meta: description = "Detects Anchor MemScraper malware" author = "Jason Reaves" strings: $s1 = {74656c6c6572000073686f700000000073746f7265000000} condition: any of them } rule crime_win32_anchor_trick_1 { meta: description = "Detects Anchor malware" author = "Jason Reaves" strings: $s1 = "D:\\Win32.ogw0rm" nocase $s2 = "MyProjects\\memoryScraper" nocase $s3 = "\\MyProjects\\secondWork\\Anchor" nocase $s4 = "\\MyProjects\\secondWork\\psExecutor" nocase $s5 = "\\MyProjects\\mailCollection" nocase $s6 = "\\MyProjects\\spreader" nocase condition: any of them } ``` ----- #### INDICATORS OF COMPROMISE Memscraper: e54a267e788cc076c870eba0ff16920f9cb49207a034a8b6bfd92abc5a5f7434 d584e868f867c6251e115b7909559da784f25b778192c6a24e49685f80257e4d Memscraper DNS variant: 354936f4265a5e870374a3fe9378cf9a3e7dd45ee4626b971d6b7b0837f4f181 54257aa2394ef87dd510da00e0583b670f3eb43e2eef86be4db69c3432e99abd Anchor Deinstaller: b288c3b3f5886b1cd7b6600df2b8046f2c0fd17360fb188ecfbcc8f6b7e552a5 Anchor Installer: 52a1ca4e65a99f997db0314add8c3b84c6f257844eda73ae6e5debce6abc2bd4 Anchor Bot: 6500190bf8253c015700eb071416cbe33a1c8f3b84aeb28b7118a6abe96005e3 Anchor DNS variant: 6b1759936993f02df80b330d11c1b12accd53a80b6207cd1defc555e6e4bf57 b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329 c6d466600371ced9d962594474a4b8b0ccff19adc59dbd2027c10d930afbe282 e49e6f0b194ff7c83ec02b3c2efc 9e746a4b2ba74607a4aad8fbdcdc66baa8dc #### REFERENCES [1: https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/](https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/) [2: https://www.fidelissecurity.com/threatgeek/archive/trickbot-we-missed-you-dyre/](https://www.fidelissecurity.com/threatgeek/archive/trickbot-we-missed-you-dyre/) [3: https://sysopfb.github.io/malware/2018/11/30/TrickBot-worming.html](https://sysopfb.github.io/malware/2018/11/30/TrickBot-worming.html) [4: http://reversingminds-blog.logdown.com/posts/7803327-how-different-malware-families-](http://reversingminds-blog.logdown.com/posts/7803327-how-different-malware-families-uses-eternalblue-part-1) [uses-eternalblue-part-1](http://reversingminds-blog.logdown.com/posts/7803327-how-different-malware-families-uses-eternalblue-part-1) [5: https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-gets-](https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-gets-screenlocker-component/) [screenlocker-component/](https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-gets-screenlocker-component/) [6: http://malware-traffic-analysis.net/2018/05/25/index2.html](http://malware-traffic-analysis.net/2018/05/25/index2.html) [7: https://norfolkinfosec.com/recent-lazarus-tools/](https://norfolkinfosec.com/recent-lazarus-tools/) [8: https://github.com/k-vitali/apt_lazarus_toolkits/blob/master/2019-01-26-lazarus-](https://github.com/k-vitali/apt_lazarus_toolkits/blob/master/2019-01-26-lazarus-toolkits-pakistan.vk.csv) [toolkits-pakistan.vk.csv](https://github.com/k-vitali/apt_lazarus_toolkits/blob/master/2019-01-26-lazarus-toolkits-pakistan.vk.csv) [9: https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-](https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns) [communicating-over-dns](https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns) ----- ## ABOUT SENTINELLABS The missing link in infosec today is not about alerts - it’s about the context of those alerts. What, When, Where, Why, How and most importantly - Who. SentinelLabs came to life to solve the gap security practitioners have between autonomously protecting their enterprise assets and understanding the significance and story of alerts. Unlike other threat intelligence solutions, SentinelLabs does not focus on sharing what is already public knowledge. We focus on new findings that can assist enterprises in staying protected from adversaries. We cover both cybercrime and APT (nation-state) while having a voice in the larger community of threat hunters who are passionate about a world that is safer for all. In addition to Microsoft operating systems, we also provide coverage [and guidance on the evolving landscape that lives on Apple and macOS devices. https://labs.sentinelone.com/](https://labs.sentinelone.com/) -----