One of the doctrines of forensic science is Locard’s exchange principle that every action taken by the perpetrator of a crime leaves a trace. Through the process of carefully collecting and interpreting these traces, an investigator can characterise what happened and form hypotheses about other aspects of the crime, such as the capabilities of the perpetrator. This idea holds for digital forensic investigations just as much as it does in a physical crime scene. Cybercrimes involving malware require threat actors to use defence evasion techniques to circumvent security controls in the target’s network to achieve their objectives. The good news for network defenders is that these techniques often involve manipulating files, which leave traces or “toolmarks” that can be used as signs of malicious intent or to track specific threat actors. In this article, we describe how a stealthy TrickBot campaign in September 2020 masquerading as COVID-19 alerts and invoices evaded detection by encrypting, modifying and embedding payloads in files.
TrickBot Operators Toy with Droppers, July 2020
In July 2020, we saw an unusual spam campaign delivering TrickBot banking malware. The configuration data used by every TrickBot binary contains an identifier called a gtag, which represents the campaign or distribution method used to deliver the malware. In that campaign, TrickBot executables using the gtag “end4” were embedded in Microsoft Word document attachments. This differed from the delivery mechanism usually favoured by TrickBot’s operators, where a downloader retrieves and executes the payload from a remote server. Over the last two years, we’ve seen variations of this, commonly involving obfuscated Visual Basic for Applications (VBA) macros. TrickBot has also been delivered using Ostap, a JScript downloader, and through systems that have been infected with Emotet.
First seen in 2014, TrickBot is a modular banking Trojan thought to be operated from Russia. It has extensive capabilities for making fraudulent transactions through web injections and stealing banking credentials. However, since June 2019 it has also been used as a platform to distribute post-exploitation tools and Ryuk ransomware, particularly against large enterprises.
Why Attackers Choose Droppers
Droppers offer several benefits to attackers over downloaders, which may be factors why we are seeing an increase in their use.
No need to host malware externally
Since the payload is embedded in a file, there is no need to host it externally. This saves the time and cost associated with obtaining and managing web infrastructure for hosting the payloads. Attackers don’t need to purchase web servers from bulletproof hosting providers or compromise legitimate web servers.
Reduces detection exposure
Embedding the payload in a document also reduces the chance of the malware being detected by security controls that inspect network traffic for malicious activity, such as web proxies and network intrusion detection or prevention systems. This places extra reliance on email gateways to block malicious attachments. These controls tend to be less effective at blocking command and control (C2) traffic, especially where C2 servers are rotated regularly, as is the case with TrickBot. Web servers used for hosting malware tend to be active for longer periods of time, which means they are more likely to be blocked.
Immune to takedowns
Droppers cannot be taken down by network defenders. With downloaders, the web servers used to host the payloads are vulnerable to takedown action through abuse reports to hosting providers and domain registrars. Takedowns are particularly effective at disrupting the operations of threat actors with small hosting infrastructures. Large hosting infrastructures tend to be more resilient to takedowns. This becomes clear if we examine a malware distribution network using network analysis, a way of analysing entities (in this case, web servers, downloaders and payloads) that shows the type of relationship that exists between them.
If a threat actor only has a few web servers, the number of ties each hosting node will have to the downloaders used in a campaign will be high. This would mean that each node used for hosting has high degree centrality in the distribution network. These web servers represent “choke points” that would severely limit the distribution of the malware if they were taken offline. Conversely, a distribution network consisting of many web servers is more resilient to takedowns because each hosting node has fewer ties. Therefore, an attacker might decide to use droppers instead of downloaders if they lack hosting capacity.
Figure 1 – A TrickBot campaign from July-August 2019 that used Ostap as a downloader. Removing the two yellow nodes with the most edges would significantly reduce the number of infections.
Denies defenders network artefacts