HP Threat Research Blog Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks

October 8, 2020 Category: Threat Research By: Alex Holland Comments: 0

Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks


One of the doctrines of forensic science is Locard’s exchange principle that every action taken by the perpetrator of a crime leaves a trace.[1] Through the process of carefully collecting and interpreting these traces, an investigator can characterise what happened and form hypotheses about other aspects of the crime, such as the capabilities of the perpetrator. This idea holds for digital forensic investigations just as much as it does in a physical crime scene. Cybercrimes involving malware require threat actors to use defence evasion techniques to circumvent security controls in the target’s network to achieve their objectives.[2] The good news for network defenders is that these techniques often involve manipulating files, which leave traces or “toolmarks” that can be used as signs of malicious intent or to track specific threat actors.[3] In this article, we describe how a stealthy TrickBot campaign in September 2020 masquerading as COVID-19 alerts and invoices evaded detection by encrypting, modifying and embedding payloads in files.


TrickBot Operators Toy with Droppers, July 2020

In July 2020, we saw an unusual spam campaign delivering TrickBot banking malware. The configuration data used by every TrickBot binary contains an identifier called a gtag, which represents the campaign or distribution method used to deliver the malware.[4] In that campaign, TrickBot executables using the gtag “end4” were embedded in Microsoft Word document attachments.[5] This differed from the delivery mechanism usually favoured by TrickBot’s operators, where a downloader retrieves and executes the payload from a remote server. Over the last two years, we’ve seen variations of this, commonly involving obfuscated Visual Basic for Applications (VBA) macros. TrickBot has also been delivered using Ostap, a JScript downloader, and through systems that have been infected with Emotet.[6]

First seen in 2014, TrickBot is a modular banking Trojan thought to be operated from Russia.[7] It has extensive capabilities for making fraudulent transactions through web injections and stealing banking credentials. However, since June 2019 it has also been used as a platform to distribute post-exploitation tools and Ryuk ransomware, particularly against large enterprises.[8]

Why Attackers Choose Droppers

Droppers offer several benefits to attackers over downloaders, which may be factors why we are seeing an increase in their use.

No need to host malware externally

Since the payload is embedded in a file, there is no need to host it externally. This saves the time and cost associated with obtaining and managing web infrastructure for hosting the payloads. Attackers don’t need to purchase web servers from bulletproof hosting providers or compromise legitimate web servers.

Reduces detection exposure

Embedding the payload in a document also reduces the chance of the malware being detected by security controls that inspect network traffic for malicious activity, such as web proxies and network intrusion detection or prevention systems. This places extra reliance on email gateways to block malicious attachments. These controls tend to be less effective at blocking command and control (C2) traffic, especially where C2 servers are rotated regularly, as is the case with TrickBot. Web servers used for hosting malware tend to be active for longer periods of time, which means they are more likely to be blocked.

Immune to takedowns

Droppers cannot be taken down by network defenders. With downloaders, the web servers used to host the payloads are vulnerable to takedown action through abuse reports to hosting providers and domain registrars. Takedowns are particularly effective at disrupting the operations of threat actors with small hosting infrastructures. Large hosting infrastructures tend to be more resilient to takedowns. This becomes clear if we examine a malware distribution network using network analysis, a way of analysing entities (in this case, web servers, downloaders and payloads) that shows the type of relationship that exists between them.[9]

If a threat actor only has a few web servers, the number of ties each hosting node will have to the downloaders used in a campaign will be high. This would mean that each node used for hosting has high degree centrality in the distribution network. These web servers represent “choke points” that would severely limit the distribution of the malware if they were taken offline. Conversely, a distribution network consisting of many web servers is more resilient to takedowns because each hosting node has fewer ties. Therefore, an attacker might decide to use droppers instead of downloaders if they lack hosting capacity.

Figure 1 – A TrickBot campaign from July-August 2019 that used Ostap as a downloader. Removing the two yellow nodes with the most edges would significantly reduce the number of infections.

Denies defenders network artefacts

Droppers also deny defenders network indicators of compromise (IOCs) associated with the initial download and execution of the malware. Web server configurations, DNS and WHOIS records and other network artefacts are a valuable source of information for tracking the activities of threat groups over time and across campaigns.

Dropper Disadvantages

Worse targeting and operational security (OPSEC)

One area where downloaders are better than droppers is OPSEC. Downloaders allow threat actors to choose targets selectively based on their IP address (geofencing), user agent and other client information exposed to the web server hosting the malware. They also enable attackers to switch payloads in and out at will, reducing the window of opportunity for researchers and defenders to download and analyse the malware. However, these OPSEC benefits are generally considered less important to operators of massively deployed malware families, such as TrickBot.

TrickBot Malspam Campaign, September 2020

COVID-19 and Invoice Lures

Starting on 16 September 2020, we detected a high-volume TrickBot spam campaign that used the gtag “ono76”, where the Trojan was embedded in hundreds of encrypted DOCM attachments masquerading as COVID-19 alerts and invoices.

Figure 2 – Fake invoice lure used in the TrickBot campaign from September 2020.

Low Detection Rates

Unlike the documents used in the July campaign that had relatively high detection rates (30/61) on VirusTotal,[5] the files in this campaign were more effective at evading detection. 70% of the samples were detected by four or fewer scanning engines, and several files received zero detections (Figures 3 and 4).