# Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module

**[vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html](http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html)**

**Goal: Reverse the latest Trickbot’s module called “DomainGabber," also known as**
"domainDll32," used for LDAP harvesting of domain controller configuration.

**Source:**

[domainDll32 (encoded) (cec42d8ef68aae0a5da8230db75d91fd)](https://www.virustotal.com/#/file/0e2d00a8b926f6a37c56f8f959b7f4b84d259b4bd2eaa49bc7af00c286a2704d/details)
[domainDll32 (decoded) (1e2791877da02d49998dea79515a89ca)](https://www.virustotal.com/#/file/3e3d82ea4764b117b71119e7c2eecf46b7c2126617eafccdfc6e96e13da973b1/details)
[Trickbot loader (b4d342dc89bc16a1acccd40204064830)](https://www.virustotal.com/en/file/91199f80c3aaeea9e0740baba70cf2eb9702394f41f9bb0611715f33d6576bc5/analysis/1513627309/)

[looks like anew #trickbot . Don't know distribution method.](https://twitter.com/hashtag/trickbot?src=hash&ref_src=twsrc%5Etfw)
hxxp://sumnercapital.com[.]au/ser1812.png not doing much in sandboxes.
[https://t.co/hDrMFerQqU](https://t.co/hDrMFerQqU) [https://t.co/WUhfRXk5Xf](https://t.co/WUhfRXk5Xf) [https://t.co/6YGQ6L7dhn](https://t.co/6YGQ6L7dhn)
[@VK_Intel](https://twitter.com/VK_Intel?ref_src=twsrc%5Etfw) [@James_inthe_box](https://twitter.com/James_inthe_box?ref_src=twsrc%5Etfw) [@malware_traffic](https://twitter.com/malware_traffic?ref_src=twsrc%5Etfw) [@iCyberFighter](https://twitter.com/iCyberFighter?ref_src=twsrc%5Etfw)
[— My Online Security (@dvk01uk) December 18, 2017](https://twitter.com/dvk01uk/status/942852069127589888?ref_src=twsrc%5Etfw)

**Background**
While analyzing one of the latest Trickbot group tag “ser1812/tt0002” (version 1000105[1000106) loaders shared by @dvk01uk found an interesting a Trickbot module titled](https://twitter.com/dvk01uk)
“domainDll” module. (Tip: the "tt0002" group tag is known as a "Trick Test" tag; it is
oftentimes deployed to update the existing config on the victim machine.)
Trickbot "DomainGrabber" outline:

I. Lightweight Directory Access Protocol (LDAP) query for domain controllers

II. Connection to "SYSVOL" domain controller

III. Harvesting domain controller XML configuration


-----

As usual, the decoded module contains four Trickbot exported functions:
Start
Control
FreeBuffer
Release
The observed Trickbot main config module was as follows (version 1000106):
<mcconf>
<ver>1000106</ver>
<gtag>tt0002</gtag>
<servs>
<srv>200.111.97[.]235:449</srv>
<srv>177.250.126[.]51:449</srv>
<srv>94.250.253[.]142:443</srv>
<srv>82.146.48[.]44:443</srv>
<srv>80.87.199[.]190:443</srv>
<srv>82.146.49[.]135:443</srv>
<srv>82.146.48[.]187:443</srv>
<srv>37.46.133[.]10:443</srv>
<srv>92.53.91[.]15:443</srv>
<srv>188.120.243[.]242:443</srv>
<srv>92.53.66[.]177:443</srv>


-----

<srv>92.53.78[.]228:443</srv>
<srv>92.53.66[.]162:443</srv>
<srv>82.146.48[.]243:443</srv>
<srv>37.46.131[.]45:443</srv>
<srv>78.24.218[.]168:443</srv>
<srv>37.46.133[.]14:443</srv>
<srv>62.109.17[.]228:443</srv>
<srv>82.146.61[.]103:443</srv>
<srv>82.146.61[.]140:443</srv>
<srv>82.146.61[.]247:443</srv>
<srv>92.63.96[.]24:443</srv>
<srv>194.87.232[.]167:443</srv>
<srv>185.158.114[.]164:443</srv>
<srv>37.230.112[.]104:443</srv>
<srv>194.87.103[.]83:443</srv>
<srv>92.53.91[.]113:443</srv>
<srv>37.230.113[.]100:443</srv>
<srv>95.213.195[.]221:443</srv>
<srv>37.230.113[.]118:443</srv>
<srv>194.87.238[.]4:443</srv>
<srv>194.87.98[.]166:443</srv>
<srv>195.2.253[.]125:443</srv>
<srv>94.250.248[.]168:443</srv>
<srv>179.43.160[.]53:443</srv>
<srv>37.46.133[.]251:443</srv>
<srv>194.87.144[.]222:443</srv>
</servs>
<autorun>
<module name="systeminfo" ctl="GetSystemInfo" />
<module name="injectDll" />
</autorun>
</mcconf>
**Summary**
"domainDll32," compiled via 'GCC: (Rev1, Built by MSYS2 project) 7.2.0,' allows Trickbot
operators to collect domain controller information once they are already on the compromised
machine. This module is internally called "DomainGrabber" and accepts command
"getdata" in order to start harvest domain information. domainDll appears to be aimed at
exploiting networks with unsecured domain controllers.
More specifically, this module targets "SYSVOL" for domain configuration information data.
According to [Microsoft, "SYSVOL is simply a folder which resides on each and every domain](https://social.technet.microsoft.com/wiki/contents/articles/24160.active-directory-back-to-basics-sysvol.aspx)
_controller within the domain. It contains the domains public files that need to be accessed by_
_clients and kept synchronised between domain controllers. The default location for the_


-----

_SYSVOL is C:\Windows\SYSVOL although it can be moved to another location during the_
_promotion of a domain controller. It’s possible but not recommended to relocate the SYSVOL_
_after_ _[DC promotion as there is potential for error. The SYSVOL folder can be accessed](http://social.technet.microsoft.com/wiki/contents/articles/16757.active-directory-glossary.aspx#DC)_
_through its share \\domainname.com\sysvol or the local share name on the_
_server \\servername\sysvol."_

What is more, SYSVOL stores various logon scripts, group policy and domain configuration
XML data that is synchronized among all domain controllers in the network. Essentially,
Trickbot grabs credential and group policy information stored in SYSVOL as follows:
groups.xml
services.xml
scheduledtasks.xml
datasources.xml
printers.xml
drives.xml

[Sean Metcalf has an interesting write-up on how LDAP can be exploited for credential and](https://adsecurity.org/?p=2362)
information harvesting highlighting this similar approach leveraged by the Trickbot gang.

Have you scanned the SYSVOL share on your DCs for Group Policy Preference
passwords recently?

[Hint: attackers havehttps://t.co/wGiESxYnOx](https://t.co/wGiESxYnOx) [pic.twitter.com/xf8G2y8L0C](https://t.co/xf8G2y8L0C)
[— Sean Metcalf (@PyroTek3) May 30, 2017](https://twitter.com/PyroTek3/status/869559165747945472?ref_src=twsrc%5Etfw)

I. This Trickbot module was programmed leveraging Active Directory Service Interfaces
(ADSI) APIs to query LDAP.


-----

**IIDFromString "{001677D0-FD16-11CE-ABC4-02608C9E7553}**
IID_IADsContainer is defined as 001677D0-FD16-11CE-ABC4-02608C9E7553
**ads_open = ADsOpenObject("G", 0, 0, 1u, &iid, &v11);**
DsOpenObject function binds to an ADSI object using explicit user name and password
starting with the letter "G"
**IIDFromString(L"{00020404-0000-0000-C000-000000000046}", &iid);**
The GUID associated with the IEnumVARIANT interface
**IIDFromString(L"{109BA8EC-92F0-11D0-A790-00C04FD8D5A8}", &iid);**
-IID_IDirectorySearch is defined as 109BA8EC-92F0-11D0-A790-00C04FD8D5A8
The module queries all domain controllers as follows:
(&(objectCategory=computer)

(userAccountControl:1.2.840.113556.1.4.803:=8192))
II. Trickbot connects to domain controller and queries SYSVOL leveraging parsing the
aforementioned LDAP query.


-----

The relevant pseudocoded C++ function is as follows:
str_func((int)&name, 260, "%ls", *(_DWORD *)(v6 + 8));
v26 = gethostbyname(&name);
if ( v26 )
{
v25 = (struct in_addr *)*v26->h_addr_list;
v2 = inet_ntoa(*v25);
MultiByteToWideChar(0, 1u, v2, -1, &WideCharStr, 32);
v30 = DsRoleGetPrimaryDomainInformation(0, DsRolePrimaryDomainInfoBasic,
&Buffer);
if ( v30 )
return v21;
snwprintf_s(&DstBuf, 260u, 260u, L"\\\\%ls\\SYSVOL\\%ls", &WideCharStr, *
((_DWORD *)Buffer + 3));
memset(&Dst, 0, 0x20u);
lpName = &DstBuf;
v30 = WNetAddConnection2W((LPNETRESOURCEW)&Dst, 0, 0, 0);
if ( !v30 )
{
finder_files((int)&DstBuf);
WNetCancelConnection2W(lpName, 0, 0);
III. Finally, Trickbot queries stored domain controller for sensitive XML configurations such as
scheduledtasks.xml, datasources.xml printers.xml, and etc.


-----

Some of the mitigations against LDAP exploitation are well-documented in Metcalf's article
listed above. As a general rule of thumb, such configuration files should be secured from any
unauthorized access in SYSVOL, and access to them should be monitored.


-----