Trickbot is a banking trojan that generally targets customers of major banks. It has continually undergone development to avoid detection. The distribution vector for this particular trojan has varied over time; an attacker could use a server vulnerability to download the malware, such as the recent Drupal remote code execution (RCE) vulnerability. The majority of the communications for the trojan is carried out via SSL. Trickbot is usually comprised of four or five different modules. These include one for system information gathering, injecting DLLs into target browsers to retrieve credentials, traversing over all files, and propagating using EternalSynergy/Romance.
- A remote attacker exploits a remote server using a vulnerability that allows RCE, such as Drupal SA-CORE-2018-002.
- The Trickbot trojan is downloaded from a remote C2 server. The executable may be downloaded with a different extension. In several campaigns, the download has a ‘.png’ extension.
- When the trojan is executed on the system (depending on the variant), Trickbot will install itself in the %APPDATA% directory. When executed successfully, Trickbot will write group_tag and client_id files along with creating a ‘Modules’ folder to store the encrypted modules and configurations files for the bot. The modules include:
- Maillsearcher Module
- Worm Module
The Trojan will send an outbound HTTP request to a free IP service to retrieve the public IP of the server it is installed on.
- The Trojan will contact the C2 server using fake self-signed certificates. The communications are encrypted.
- The infected host will propagate laterally via EternalBlue/Synergy/Romance.
The attacker must be able to inject the malicious code onto the web server through another vulnerability or exploit.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine. Ensure all software on internet-facing machines is up-to-date.