# Detecting Trickbot with Splunk **splunk.com/en_us/blog/security/detecting-trickbots.html** July 21, 2021 By [Splunk Threat Research Team July 21, 2021](https://www.splunk.com/en_us/blog/author/secmrkt-research.html) The Splunk Threat Research Team has assessed several samples of [Trickbot, a popular crimeware carrier](https://www.cisecurity.org/blog/trickbot-not-your-average-hat-trick-a-malware-with-multiple-hats/) that allows malicious actors to deliver multiple types of payloads. These samples have been found in use during recent campaigns, and the team has identified the presence of specific tools designed to inject malicious code into victims’ browsers, known as Web Injects, which work as custom elements that allow attackers to perform operations on top of the victim's web session while seeming legitimate. We also took a look at several modules, [including LDAP querying capabilities and Cobalt Strike delivery, which has been observed in](https://www.zdnet.com/article/solarwinds-hack-analysis-reveals-56-boost-in-command-server-footprint/) recent campaigns. [Trickbot Trojan is said to be related to Zeus and Dyre crimeware and has been active since](https://www.cisecurity.org/blog/trickbot-not-your-average-hat-trick-a-malware-with-multiple-hats/) the year 2016. Trickbot has been used in multiple campaigns targeting financial services and other verticals; due to its versatile nature, recently it has also been observed targeting single [users via traffic infringement phishing. Trickbot is attributed to the following actors, according](https://us-cert.cisa.gov/ncas/alerts/aa21-076a) to [CISA:](https://us-cert.cisa.gov/sites/default/files/publications/TrickBot_Fact_Sheet_508.pdf) ----- [Wizard Spider (CrowdStrike)](https://www.crowdstrike.com/blog/wizard-spider-adversary-update/) [UNC1878 (Fireyee)](https://malpedia.caad.fkie.fraunhofer.de/actor/unc1878) [Gold Blackburn (SecureWorks)](https://www.secureworks.com/research/threat-profiles/gold-blackburn) The web injects are post-exploitation code artifacts delivered and executed via trickbot. They are specifically designed for targeted sites (financial institutions, cryptocurrency exchanges, telco service providers). The samples analyzed by the Splunk Threat Research Team include major U.S financial institutions, telecom organizations and cryptocurrency exchanges, among others. Although web injects are not new, they are very difficult to detect, and they usually defeat most available defenses — PINs, CAPTCHA and even two-factor authentication applications. The web inject code is delivered post-compromise via trickbot. Trickbot crimeware is delivered by multiple methods from direct malicious links, infected documents, or even direct exploitation of internet-exposed hosts or lateral movement; Trickbot malware possesses several functions and features that allow usage of different exploitation methods and postexploitation payloads. The following graphic is an example of an infected document: ----- This Excel document will download and load a malicious trickbot .dll using rundll32 windows application, as seen in the next graphic. The macro is written in a hidden xls sheet in white font, so as to be invisible to the user. ----- Once this document is executed in a vulnerable host, it proceeds to execute loader and contact Command and Control servers. It will inject its code to the “wermgr.exe” process to do its malicious routine. Below is a snippet of procmon CSV logs during the trickbot execution. Notice that the wermgr.exe process was created by the same rundll32 process that loads the trickbot malware (in this case 1.dll). By decoding the big encoded string on the trickbot dll loader upon unpacking it in memory, we can see a list of web services that trickbot uses to look for the IP address of the infected machines. Throughout the infection process, Trickbot will also establish persistence. This is done via the creation of a scheduled task. We also analyzed a trickbot module identified as wormDll64.dll. This module allows trickbot to move laterally and collect LDAP information from compromised networks. The function below enumerates all servers visible in the windows active directory domain network; it also checks if the infected machine is part of the workgroup. ----- [Trickbot also uses the eternal blue exploitation code. CVE-2017-0144 is a vulnerability that](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0144) allows remote code execution on machines with vulnerable SMB versions. Other modules from the trickbot analyzed samples — such as systeminfo64.dll, sharedll64.dll, psinf64.dll, and networkdll64.dll — include full system enumeration, LDAP query, and share enumeration which allows trickbot to copy itself to other systems, shared folders, and download further payloads. ## Web Injects As stated previously in this blog, Web Injects are not new. However, they are a very powerful crime tool and very difficult to detect. Web Injects can bypass most of the current defenses, including 2FA tools. Before Web Injects can be executed, there must be a process of exploitation which can be done via several methods, once the client has been infected with trickbot and the Web Inject file is in place. This is a process that is triggered by the victim browsing specific websites which are specified within the Web Inject config file. Then the trickbot proceeds to exfiltrate data and execute operations on top of the victim’s session to perform fraudulent operations such as transferring money from accounts to foreign institutions. It is important to understand that in appearance these pages which the victim is visiting look exactly like any other standard normal banking session, but in the background the code injected allows attackers to perform different types of operations. In some cases, the Web Injects code, for example, keeps an account balance at its initial amount to the user’s view, even though in the background, money has already been transferred to a different account, usually to a foreign financial institution in countries where cybersecurity laws are very lax or where there is even complicity from destination country’s regime. ----- ## Injdll64.dll Web Inject Payload This module consists of web injects targeting several banking sites. It creates a namepipe \.\pipe\pidplacesomepipe where “PID” will be changed to the actual target process ID at runtime, which is sometimes four characters (e.g., “\.\pipe\1844lacesomepipe”). The payload32.dll (a .dll created during the infection process in this sample) is a payload that will be decompressed and injected within the browser session through a reflective dll injection technique to do its main task as a banking trojan. The following is a snippet snapshot of decrypted trickbot config samples. As seen in the researched code, the Web Injects principally target login sites for several financial institutions, cryptocurrency exchanges and telco service providers. In some instances, the targeted URI indicates the targeting of balances, transfers and account settings. Such sections usually contain the elements necessary to make deposits, send transfers or change account settings, such as authentication or private information from account holders. ## Detections [The Splunk Threat Research Team has developed a Trickbot analytic story to address this](https://docs.splunk.com/Documentation/ESSOC/3.23.0/stories/UseCase#Trickbot) threat. This story is composed of the following searches: **Detection** **Techniques** **Tactic(s)** **Notes** ----- Detection of Office [Application Spawn](https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_application_spawn_rundll32_process.yml) rundll32 Process (new) Detect Wermgr Process Connecting to Check IP Services (new) Wermgr Process [Create Executable](https://github.com/splunk/security_content/blob/develop/detections/endpoint/wermgr_process_create_executable_file.yml) File (new) Wermgr Process [Spawned CMD Or](https://github.com/splunk/security_content/blob/develop/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml) Powershell Process (new) Schedule Task With [Rundll32 Command](https://github.com/splunk/security_content/blob/develop/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml) Trigger (new) Powershell Remote [Thread To Known](https://github.com/splunk/security_content/blob/develop/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml) Windows Process (new) Write Executable in SMB Share (new) Trickbot Named Pipe (new) Plain HTTP POST Exfiltrated Data (new) [T1566.001](https://attack.mitre.org/techniques/T1566/001/) Initial Access Detects Run Dynamic Link Library 32 child process via Microsoft Office App [T1590.005](https://attack.mitre.org/techniques/T1590/005/) Reconnaissance Detects the use of Windows Error Manager executable to elicit a connection to an external service to determine the victim’s external IP address [T1027](https://attack.mitre.org/techniques/T1027/) Defense Evasion Detects the use of Windows Error Manager that creates executable files [T1059](https://attack.mitre.org/techniques/T1059/) Execution Detects the use of Windows Error Manager to spawn a terminal session or Powershell Process [T1053](https://attack.mitre.org/techniques/T1053/) Execution, Persistence, Privilege Escalation [T1055](https://attack.mitre.org/techniques/T1055/) Defense Evasion, Privilege Escalation [T1021.002](https://attack.mitre.org/techniques/T1021/002/) Lateral Movement [T1055](https://attack.mitre.org/techniques/T1055/) Defense Evasion, Privilege Escalation Detects the creation of a scheduled task where rundll32.exe is used to execute or spawn another process Detects PowerShell process injection in some known windows processes Detects the creation of an executable targeting SMB Share Detects the creation of a Named Pipe or inter-process communication associated with the execution of Trickbot [T1048.003](https://attack.mitre.org/techniques/T1048/003/) Exfiltration Detects the use of the HTTP POST method to exfiltrate data ----- Account Discovery With Net App (new) Suspicious Rundll32 Startw (Existing) Office Document [Executing Macro](https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_document_executing_macro_code.yml) Code (Existing) Cobalt Strike Named Pipes (Existing) Suspicious Rundll32 Dllregisterserver (Existing) Attempt to Stop Security Service (Existing) ## Hashes [T1087.002](https://attack.mitre.org/techniques/T1087/002/) Discovery Detects the use of a series of net commands for account discovery on the infected machine [T1218.011](https://attack.mitre.org/techniques/T1218/011/) Defense Evasion Detects Rundll32 with "StartW" parameter [T1566.001](https://attack.mitre.org/techniques/T1566/001/) Initial Access Detects MS Office that execute macro code [T1055](https://attack.mitre.org/techniques/T1055/) Defense Evasion, Privilege Escalation [T1218.011](https://attack.mitre.org/techniques/T1218/011/) Defense Evasion [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion Detects Common Cobalt Strike named pipes Detects Rundll32 with "dllregisterserver" parameter Detects Security Service terminations **File name** **Sha256** Injdll64.dll [5c9f626665a5f6e91599df85f3a1ae07258b9c3b8fc72eff56082ce9cb2c4394](https://www.virustotal.com/gui/file/5c9f626665a5f6e91599df85f3a1ae07258b9c3b8fc72eff56082ce9cb2c4394/detection) wormDll64.dll [74e9d233177ca996df3eeda88af9ff2d7f87bace0726b0516ecf3be7dcb59f71](https://www.virustotal.com/gui/file/74e9d233177ca996df3eeda88af9ff2d7f87bace0726b0516ecf3be7dcb59f71/detection) Trickbot loader [01b6ab63f7078d952ed1a18850ac202bc201aa6210592c108a2e0a4d16f06fc5](https://www.virustotal.com/gui/file/01b6ab63f7078d952ed1a18850ac202bc201aa6210592c108a2e0a4d16f06fc5/detection) XLSM Macro [ed03ded8aabe6685d536c26d55e9685a05e6e148c4c5b56b73faa5d81c9c083a](https://www.virustotal.com/gui/file/ed03ded8aabe6685d536c26d55e9685a05e6e148c4c5b56b73faa5d81c9c083a/details) ----- The aforementioned current and new detections should help address this threat, with Trickbot being one of the main Ransomware carriers. Ongoing campaigns are not only a threat to [companies operations; recent incidents reveal that ransomware has endangered human life,](https://www.nytimes.com/2020/11/26/us/hospital-cyber-attack.html) [affected many governments and school organizations and even military bases.](https://www.bbc.com/news/technology-50972890) Ransomware is now the top priority in cybersecurity. The Splunk Threat Research team will continue addressing ransomware variants and sharing their detection with the community. [Please download our latest content at Splunkbase, or check out](https://splunkbase.splunk.com/app/3449/) [our Github repository.](https://github.com/splunk/security_content) Posted by **[Splunk Threat Research Team](https://www.splunk.com/en_us/blog/author/secmrkt-research.html)** The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks [which are stored as datasets in the Attack Data repository.](https://github.com/splunk/attack_data/) Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more. ----- [Read more Splunk Security Content.](https://github.com/splunk/security_content) -----