Tale of the Two Payloads – TrickBot and Nitol
A couple of weeks ago, we observed the Necurs botnet distributing a new malware spam campaign with a payload combo that includes Trickbot and Nitol. Trickbot is a banking trojan that first appeared late last year targeting banks in Europe, UK, Australia and other countries. This trojan injects malicious code into a web browser process and siphons sensitive data when the victim visits a target banking website. The Nitol family is well-known for its distributed denial of service (DDOS) and backdoor capabilities.
Infection Vectors
On the 19th of July, we have observed a malicious spam campaign claiming to be a receipt from Apple Store UK. This has a PDF file with an embedded DOCM object.
The PDF file drops a .DOCM (Document with embedded macro) file into the %temp% folder and,when the document is opened, prompts the user to enable the macro. Closely analyzing the macro codes, reveals a script that will automatically download an encrypted binary executable from these hardcoded domain:
hxxp://cabbonentertainments.com\83b7bf3 hxxp://dabar.name\83b7bf3 hxxp://nasusystems.com\83b7bf3
This encrypted binary is then decrypted by the macro code and executed.
Another spam campaign we observed claims to be a "purchase order" with a binary executable attachment that was zipped twice.
Both spam campaign have the same payload:
MD5 |
2c5639ddaa3ed639e17a0fa669e35da1 |
SHA-1 |
d127c60b32fb4a83f711a4a38e9053f347ed90ec |
File Size |
431,458 bytes |
Payloads – Nitol and Trickbot Packages
The main binary executable acts a loader that executes both the Nitol and Trickbot binaries separately from the loader's resource section. The main loader also contains an anti-VM mechanism that checks for VirtualBox and VMware to prevent any further execution within sandbox devices.
Payload 1: Trickbot
Trickbot creates a new process of itself in suspended mode after which it allocates and writes its code to the new process using VirtualAllocEx and WriteProcessMemory API.
Once everything is loaded to the new processes address space, the malware simply resumes the suspended process by using ResumeThread.
It drops a copy of itself in the %AppData%\winapp folder along with other configuration files and plugins:
DROP FILES |
DESCRIPTION |
%AppData%\winapp\config.conf |
Contains control server IP address and configurations |
%AppData%\winapp\client_id |
Contains Unique ID includes that includes hostname and Windows version |
%AppData%\winapp\group_tag |
Contains Campaign tag/ID |
%AppData%\winapp\<random name>.exe |
Malware executable itself |
%AppData%\winapp\Modules\importDll32 |
Browser form grabbing module |
%AppData%\winapp\Modules\injectDll32 |
DLL injected to browser |
%AppData%\winapp\Modules\outlookDll32 |
Outlook data grabbing module |
%AppData%\winapp\Modules\systeminfo32 |
Get system information module |
%AppData%\winapp\injectDll32_configs\dinj |
Contains encrypted information of target online banks and its redirect |
%AppData%\winapp\injectDll32_configs\dpost |
Contains the IP address where the stolen banking data are exfiltrated |
%AppData%\winapp\injectDll32_configs\sinj |
Contains another encrypted information of target online banks |
%AppData%\winapp\mailsearcher32_configs\mailconf |
Contains the IP address where the stolen Outlook profile data are exfiltrated |
For persistence, it creates a scheduled task to execute the malware on user logon and also trigger every three minutes.
This malware avoids static analysis by encoding most of its strings using a lookup algorithm that involves a decoder table represented by this code:
def trickbot_decode(text): ts = "aZbwIiWO39SuApBFcPC/RGYomVxUNL01nr56le47Hv8DJsjQgEkKy+fT2dXtzhMq" alphabet = [n for n in ts] bit_str = "" text_str = "" for char in text: if char in alphabet: bin_char = bin(alphabet.index(char)).lstrip("0b") bin_char = bin_char.zfill(6) bit_str += bin_char brackets = [bit_str[x:x+8] for x in range(0,len(bit_str),8)] for bracket in brackets: text_str += chr(int(bracket,2)) return text_str.encode("UTF-8")
The malware drops an encrypted configuration file named "config.conf" that contains the command and control server information and other module settings.
TrickBot Modules
TrickBot spawns multiple processes of Svchost.exe where it injects multiple modules:
- A browser form grabbing module
- An outlook credential grabbing module
- A system information grabbing module
The module InjectDLL32 hooks the browser process and monitors the victim's browser activity.
Trickbot monitors browsers including Chrome, IExplore, Firefox and Microsoft Edge. It also hooks the Runtimebroker.exe process which is a parent process of MS Edge.
An encrypted configuration file stored in %AppData%\winapp\injectDll32_configs\dinj and %AppData%\winapp\injectDll32_configs\sinj contains a list of target online banking URLs.
Another module is injected to a separate SVCHOST.EXE instance that is responsible for grabbing Outlook credentials.
Shown below are the Outlook registry keys that the malware attempts to query:
From those registry keys, it attempts to gather Outlook accounts and credentials such as Email, User, Server, Port and Password
These Outlook data are exfiltrated to an IP address stored encrypted in "mailsearcher32_configs" file
And lastly, another module named "systeminfo" is responsible for collecting the victim's system information that includes Usernames, CPU type, RAM, OS Architecture, installed programs and services.
Payload 2: Nitol DDOS bot
A Nitol binary is stored in the resource section of the loader. It is compressed using UPX and upon execution it creates a mutex name "qazwsxedc" to avoid multiple instances of itself running.
Once Nitol has decrypted the command and control server, it will connect to the server and wait for further commands. The two main functions of this backdoor is to perform DDOS and to "Download-And-Execute" arbitrary files.
C2 Server |
e.googlex.me:40 |
Types of DOS Nitol may perform against its target are as follows:
- SYN Flood
- TCP Flood
- UDP Flood
- HTTP Flood
- ICMP Flood
Conclusion
The Necurs botnet has been actively devoting its resources to distributing Trickbot and Nitol malware variants. The botnet used two templates. The first spam template is a classic email attaching the main executable while the second template used a more recent technique of embedding a DOCM within a PDF file. Whichever template the user receives, it will lead to the possible execution of the same malware loader. That loader can execute both Trickbot and Nitol in your system. This observation of bot loaders delivering two or more different pieces of malware at the same time appears to be increasingly common. This basically saves the botmaster's time by avoiding the creation of a separate template for each different malware delivery. Also, this allows botmasters to "strike while the iron is hot" as some security products may need time to react and block two different pieces malware instead of one.
The Trustwave Email Security Gateway provides protection against these campaigns at the gateway by utilizing multiple different signature and heuristic protection layers.
Contributors: Gerald Carsula, Nico Ramos, Homer Pacag
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.