The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
October 15, 2016
TrickBot: We Missed you, Dyre
In November 2015, the Dyre banking trojan seemingly disappeared overnight surprising security researchers worldwide. Months later it was announced that Russian authorities had arrested most of the gang responsible for its operations. Prior to that, it was a relatively rare act for Russian authorities to take action in such matters. Since then, nothing has been heard from those actors but the speculation was that some of programmers and other elements of the criminal operation would be subsumed into other cybercriminal operations.
In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.
This would suggest, but is far from conclusive, that some individuals related to the development of Dyre have found their way into resuming criminal operations.
The campaign we have observed involving TrickBot includes webinjects that target banks in Australia. A full list of hashes, IOCs and targets is available at the end of this blog post.
With regards to TrickBot, while the version of the bot has been reset and quite a lot of code has been removed we don’t believe this is an old version but is instead a rewrite, since the coding style is not conclusively that of old Dyre. While the bot performs very similar functions and activities, the code style is quite a bit different than the older Dyre code in a few respects
Instead of running commands directly the bot interfaces with TaskScheduler through COM for persistence
Instead of running an onboard SHA256 hashing routine or AES routine the bot utilizes Microsoft CryptoAPI
There is considerably more code in the C++ programming language versus the original Dyre that used C for the most part.
Based on these observations, it is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot. With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot.
This blog post details our technical analysis of TrickBot.
The first thing we noticed is the custom crypter which after careful analysis was found to be used for both TrickLoader along with Vawtrak, Pushdo and Cutwail malware. This is interesting because Cutwail spambot was a favorite of old Dyre crew for use in their spam campaigns.
Next we take a look at the loader which from first glance appears to be similarly constructed as Dyre’s loader, including a x86 and x64 bot version and another section named x64 loader(Figure 1).
Figure 1 TrickLoader resources
The loader simply checks if it is running on a 32 or 64bit system before decoding the appropriate resource section(s). The bit check is performed using GetNativeSystemInfo (Figure 2). The decoding routine is a LCG(Linear Congruential Generator) based routine using a hardcoded seed of 12345 (Figure 3).
Figure 2 TrickLoader Bit Check
Figure 3 TrickLoader resource decode
Figure 4 TrickBot resource sections
The bot shows a number of similarities to Dyre but appears to have been rewritten. This assumption is made based on old Dyre code, which would primarily use built-in functions for doing things such as AES and SHA256 hashing. In the recent samples identifying themselves as TrickBot, the code appears to be based on that old code but rewritten to use things such as Microsoft CryptoAPI and COM.
Similar to old Dyre the bot comes with an onboard config in its resource section along with an ECC cert (Figure 4). The bot also uses a very similar but slightly modified version of the old Dyre C2 decryption, this routine is then used for encrypting/decrypting all data respectively. The algorithm used by Dyre for generating the AES and IV from the first 48 bytes of data based on a rehashing scheme was commonly referred to as Dyre’s derive_key function, this function was slightly changed in the new bot.
Figure 5 TrickBot Derive Key
Figure 6 TrickBot Decrypt
For starters, both the AES key and IV are derived using 128 rounds of SHA256, the key is derived from the first 32 bytes of data and the IV from bytes 16 through 48(Figure 5). Another slight modification is the hash data instead of being continually rehashed, the data is now appended to each subsequent hash and that data is then hashed to get the next hash, ultimately ending after 128 iterations with the key based on the hash of all the accumulated data. Knowing this is enough to modify the old Dyre decrypt and derive key functions to work for TrickBot(Figure 6). This routine is used to decode the onboard config(Figure 5), the C2 traffic and the modules.
Figure 7 Onboard Bot Config
Figure 8 Onboard Module Config
The first bots pushed for testing of TrickBot came with a single module called GetSystemInfo. This module comes in both 32bit and 64bit version and includes an interesting pdb path(C:UsersThe trickYandexDiskProjectsBotBot_(1006)_08.12.2016BotGetSystemInfo_solutionx86ReleaseGetSystemInfo.pdb). As the name suggests the module appears to be entirely geared towards harvesting system information, probably to give the developers a better understanding of their test bots. The modules also come with their own embedded moduleconfig(Figure 6) and are stored on disk in a ‘/modules/’ folder at the same location that the bot runs out of. Also, as was the case with Dyre the modules are downloaded from the mod server which has been renamed in the initial config for TrickBot to plugin server or psrv.
On October 13, 2016 a new bot was found that contained the injectDll which is the browser inject module for TrickBot, the webinject config filenames are stored in the moduleconfig of the injectDll module as sinj, dinj and dpost. It would appear as though the injects are still being tested and possibly added as they convert them over to the new structure. This setup does fall in line with how Dyre had its config separated out though.
While the bot is still missing quite a lot from what was previously seen in Dyre it is obvious that there is correlation between the code used in this bot and that from Dyre. As the bot appears in development they are pushing to rebuild their Cutwail botnet in preparation for future spam runs. It’ll be interesting to see if TrickBot can reach or pass its predecessor.
Pushdo with same crypter:
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.