Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Tale of the Two Payloads – TrickBot and Nitol

A couple of weeks ago, we observed the Necurs botnet distributing a new malware spam campaign with a payload combo that includes Trickbot and Nitol. Trickbot is a banking trojan that first appeared late last year targeting banks in Europe, UK, Australia and other countries. This trojan injects malicious code into a web browser process and siphons sensitive data when the victim visits a target banking website. The Nitol family is well-known for its distributed denial of service (DDOS) and backdoor capabilities.

8276_1ff64f17-afec-4f16-add3-7e7d64a4c742
Figure 1. Hourly malicious spam volume from Necurs between 19th and 20th of July 2017

 

Infection Vectors

On the 19th of July, we have observed a malicious spam campaign claiming to be a receipt from Apple Store UK. This has a PDF file with an embedded DOCM object.

 

11181_ac74150d-e74e-4ea9-a741-b5bafaf90ba0
Figure 2. Spam mimicking Apple Store UK with malicious PDF attachment

 

9711_6845e10c-0eb9-48aa-86bf-16c2ca3852f9
Figure 3. DOCM Object Embedded

 

The PDF file drops a .DOCM (Document with embedded macro) file into the %temp% folder and,when the document is opened, prompts the user to enable the macro. Closely analyzing the macro codes, reveals a script that will automatically download an encrypted binary executable from these hardcoded domain:

hxxp://cabbonentertainments.com\83b7bf3 hxxp://dabar.name\83b7bf3 hxxp://nasusystems.com\83b7bf3

This encrypted binary is then decrypted by the macro code and executed.

 

BSL_7788_089a8748-24a7-4991-aa38-6bbc2740100d
Figure 4. VBA Macro decryption routine

 

Another spam campaign we observed claims to be a "purchase order" with a binary executable attachment that was zipped twice.

 

9528_5e7d8dbe-cf80-4dd7-a8e1-25a3794a1f1d
Figure 5. Fake Purchase Order with ZIP file attachment

 

BSL_9178_4d5bfe06-07df-4aeb-ad57-e45e0f2079b5
Figure 6. Double Compressed Binary Executable

 

Both spam campaign have the same payload:

MD5

2c5639ddaa3ed639e17a0fa669e35da1

SHA-1

d127c60b32fb4a83f711a4a38e9053f347ed90ec

File Size

431,458 bytes

 

Payloads – Nitol and Trickbot Packages

8957_4377e062-a7b6-48ec-9137-2e60e897d1aa
Figure 7. Attack diagram

 

The main binary executable acts a loader that executes both the Nitol and Trickbot binaries separately from the loader's resource section. The main loader also contains an anti-VM mechanism that checks for VirtualBox and VMware to prevent any further execution within sandbox devices.

 

Payload 1: Trickbot

Trickbot creates a new process of itself in suspended mode after which it allocates and writes its code to the new process using VirtualAllocEx and WriteProcessMemory API.

 

8998_454d34aa-9a01-4575-a3e7-689d8eed707b
Figure 8. Trickbot spawns a new process of itself upon execution

 

Once everything is loaded to the new processes address space, the malware simply resumes the suspended process by using ResumeThread.

It drops a copy of itself in the %AppData%\winapp folder along with other configuration files and plugins:

 

9510_5d1edaa8-f944-4318-a3d0-4c59954f10f6
Figure 9. Tree view of the drop files

 

DROP FILES

DESCRIPTION

%AppData%\winapp\config.conf

Contains control server IP address and configurations

%AppData%\winapp\client_id

Contains Unique ID includes that includes hostname and Windows version

%AppData%\winapp\group_tag

Contains Campaign tag/ID

%AppData%\winapp\<random name>.exe

Malware executable itself

%AppData%\winapp\Modules\importDll32

Browser form grabbing module

%AppData%\winapp\Modules\injectDll32

DLL injected to browser

%AppData%\winapp\Modules\outlookDll32

Outlook data grabbing module

%AppData%\winapp\Modules\systeminfo32

Get system information module

%AppData%\winapp\injectDll32_configs\dinj

Contains encrypted information of target online banks and its redirect

%AppData%\winapp\injectDll32_configs\dpost

Contains the IP address where the stolen banking data are exfiltrated

%AppData%\winapp\injectDll32_configs\sinj

Contains another encrypted information of target online banks

%AppData%\winapp\mailsearcher32_configs\mailconf

Contains the IP address where the stolen Outlook profile data are exfiltrated

 

For persistence, it creates a scheduled task to execute the malware on user logon and also trigger every three minutes.

9223_4effb1fe-6dd8-444e-b29e-46ba05095692
Figure 10. Scheduled task for persistence

 

This malware avoids static analysis by encoding most of its strings using a lookup algorithm that involves a decoder table represented by this code:

def trickbot_decode(text): ts = "aZbwIiWO39SuApBFcPC/RGYomVxUNL01nr56le47Hv8DJsjQgEkKy+fT2dXtzhMq" alphabet = [n for n in ts] bit_str = "" text_str = "" for char in text: if char in alphabet: bin_char = bin(alphabet.index(char)).lstrip("0b") bin_char = bin_char.zfill(6) bit_str += bin_char brackets = [bit_str[x:x+8] for x in range(0,len(bit_str),8)] for bracket in brackets: text_str += chr(int(bracket,2)) return text_str.encode("UTF-8")

 

11112_a974614a-cea0-4234-9e6f-82c8e81c0811
Figure 11. Sample of obfuscated string from the malware body

 

The malware drops an encrypted configuration file named "config.conf" that contains the command and control server information and other module settings.

 

7832_0a86fc9a-38ea-41df-8eb7-e14d3c92c93d
Figure 12. Decrypted C2 information

 

TrickBot Modules

TrickBot spawns multiple processes of Svchost.exe where it injects multiple modules:

  • A browser form grabbing module
  • An outlook credential grabbing module
  • A system information grabbing module

The module InjectDLL32 hooks the browser process and monitors the victim's browser activity.

 

BSL_12630_f1bcf310-8bb3-40ff-8ff0-f4189136f425
Figure 13. Poisoned svchost.exe hooking chrome.exe process

 

Trickbot monitors browsers including Chrome, IExplore, Firefox and Microsoft Edge. It also hooks the Runtimebroker.exe process which is a parent process of MS Edge.

8007_12a6e4e0-c210-4d3e-92f6-0cc850ce1fa6
Figure 14. Target browser processes

 

An encrypted configuration file stored in %AppData%\winapp\injectDll32_configs\dinj and %AppData%\winapp\injectDll32_configs\sinj contains a list of target online banking URLs.

 

11643_c3901c3a-bef1-424b-bd9e-f70c0dc2d147
Figure 15. Target online banking stored in dinj file

 

BSL_7877_0cff1167-ed03-4e9b-adf8-b5c2649e324e
Figure 16. Target online banking stored in sinj file

 

8913_411ccddd-f44f-4c7a-8a73-429a11d698c6
Figure 17. IP address where stolen data are exfiltrated

 

Another module is injected to a separate SVCHOST.EXE instance that is responsible for grabbing Outlook credentials.

Shown below are the Outlook registry keys that the malware attempts to query:

 

BSL_10064_79a1f228-0b65-401b-b844-7d962b3f2632
Figure 18. List of Outlook registry key

 

From those registry keys, it attempts to gather Outlook accounts and credentials such as Email, User, Server, Port and Password

 

BSL_10484_8bc838e1-c352-4433-a341-26ac979cc715
Figure 19. Outlook profile and credential stealer

 

These Outlook data are exfiltrated to an IP address stored encrypted in "mailsearcher32_configs" file

 

11849_cc86a27a-8e52-442d-9d56-ceede9651a7a
Figure 20. Decrypted exfiltration IP stored in the config file

 

And lastly, another module named "systeminfo" is responsible for collecting the victim's system information that includes Usernames, CPU type, RAM, OS Architecture, installed programs and services.

 

11288_b1ba9613-a599-4fbb-809d-6e30e366187d
Figure 21. strings from system information grabber

 

Payload 2: Nitol DDOS bot

A Nitol binary is stored in the resource section of the loader. It is compressed using UPX and upon execution it creates a mutex name "qazwsxedc" to avoid multiple instances of itself running.

 

BSL_11052_a62c38b8-7ffd-47ab-a033-9571e0d10165
Figure 22. Nitol's Main Function

 

Once Nitol has decrypted the command and control server, it will connect to the server and wait for further commands. The two main functions of this backdoor is to perform DDOS and to "Download-And-Execute" arbitrary files.

C2 Server

e.googlex.me:40

 

BSL_12414_e8eb4767-5878-44df-b9e5-a75ede5111cb
Figure 23. Nitol's Backdoor DDOS Function
 
BSL_11348_b4b71bc7-2760-4ca9-9e66-bda610bc329d
Figure 24. Nitol's Backdoor "Download-And-Execute" File Function

 

Types of DOS Nitol may perform against its target are as follows:

  • SYN Flood
  • TCP Flood
  • UDP Flood
  • HTTP Flood
  • ICMP Flood

 

Conclusion

The Necurs botnet has been actively devoting its resources to distributing Trickbot and Nitol malware variants. The botnet used two templates. The first spam template is a classic email attaching the main executable while the second template used a more recent technique of embedding a DOCM within a PDF file. Whichever template the user receives, it will lead to the possible execution of the same malware loader. That loader can execute both Trickbot and Nitol in your system. This observation of bot loaders delivering two or more different pieces of malware at the same time appears to be increasingly common. This basically saves the botmaster's time by avoiding the creation of a separate template for each different malware delivery. Also, this allows botmasters to "strike while the iron is hot" as some security products may need time to react and block two different pieces malware instead of one.

The Trustwave Email Security Gateway provides protection against these campaigns at the gateway by utilizing multiple different signature and heuristic protection layers.

Contributors: Gerald Carsula, Nico Ramos, Homer Pacag

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More