Trickbot Malware  - Trickbot - Trickbot Malware Re-emerging via MS Word with Code-Injection Technique

Trickbot is one of the widely known Banking Trojan emerging again with sophisticated techniques to at target the various financial institutions and large bank to steal the banking credentials.

The current version of Trickbot malware is spreading with a powerful code technique to evade the detection, anti-analysis technique and disable the tools that run in the target victims computer.

Trickbot which is capable of launching MitB attacks originated in the middle of 2016 and it targets financial institutions.

Trickbot have an ability to stealing the data from Microsoft Outlook, locking the ’s computer, information gathering, network information gathering and domain credentials stealing.

It Also distributed with the technique such as sleep for long and short time to avoid detection for the most of the security software.

How does Trickbot Malware Works 

An initial distribution of Trickbot malware launching via Microsoft  document which contains embedded Macro code.

Word document macro will not be executed directly instead, the user needs to execute enable content and zoomed in/out of the document to complete the execution process which is one of the new technique to evade the sandbox analysis.

Same as a variety of malicious document execute the PowerShell script and download the Trickbot malware and executed it into the victim’s machine.

- power - Trickbot Malware Re-emerging via MS Word with Code-Injection Technique

Once it dropped the payload from it & control server then the malware sleeps for 30 seconds to evade sandboxes by calling Sleep(30000) and then decrypts its resource using the RSA algorithm.once the sleep time is completed.

- sleep - Trickbot Malware Re-emerging via MS Word with Code-Injection Technique

Apart from this TrickBot performing hollow process injection using direct system calls and researchers believe that this malware sharing the code with Flokibot malware.

According to cyberbit, It using CreateProcessW to create a suspended process and the malware uses CreateFileW to obtain a handle to ntdll.dll it copies it a buffer allocated by VirtualAlloc using ReadFile, and then allocates another buffer for mapping it to the memory from its raw Copy.

- dll - Trickbot Malware Re-emerging via MS Word with Code-Injection Technique
Reading ntdll.dll from the disk

Trickbot using some function(red) for hollowing from direct system calls and some functions(Blue) hollowing from the addresses saved on the stack earlier.

- thread - Trickbot Malware Re-emerging via MS Word with Code-Injection Technique

After running the malware, we can see, as in previous variants, it copied itself and its encrypted modules to C:Users%USERNAME%AppDataRoamingmsnet

- nw - Trickbot Malware Re-emerging via MS Word with Code-Injection Technique

Organizations should be aware of this new trend to directly call functions via system calls. This technique bypasses security tool hooks and therefore most security products will not detect this threat, Researchers said.

Also Read:

New Version of Trickbot Trojan Spread via Local SMB to Perform NetServer and LDAP Enumeration

Banking Trojan “Trickbot” Powered by Necurs Targeting Financial Institutions





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here