Trickbot is a well-known financial Trojan that targets large bank customers and steals their credentials. Trickbot is also a modular malware that contains modules with many different features. Since 2016, it has been active and continuously deriving variants, and new tips and modules are added for each update.
Specifically, the modules included in Trickbot generally have the following functions, including stealing data from a browser, stealing data from Microsoft Outlook, locking a victim computer, collecting system information, collecting network information, and taking domain credentials.
Recently, the Cyberbit malware research team studied the latest Trickbot variant to see how it differs from previous variants and fully understand its new behaviours and techniques. The research shows that Trickbot’s new variant uses a secret code injection technique that involves using direct system calls, following analysis techniques, and disabling security tools to perform process knockouts. In a sense, the behaviour of this new variant is somewhat similar to the Flokibot Bank Trojan.
The new variant was downloaded via a Word document containing macro code, which was initially posted on Twitter and confirmed by the Cyber bit team. Interestingly, even if you click “enable content” to enable the macro, the document will not execute the macro code it contains until the user has zoomed the document. The Cyber bit team said that this is probably to avoid sandbox detection, but it also protects users who don’t scale their documents.
Interesting #malicious#doc -> vba macro is triggered when a user zooms in/out (InkPicture1_Resize). It has a hidden form that contains encoded #PowerShell. Dls #PE from /nrrgarment.com/zmoperes.ri or /oasis-projects.com/zmoperes.ri#doc /22.214.171.124/unsubscr_st_600331.doc pic.twitter.com/owD4TXDAx8
Like most malicious macros, the macros here are also confused. It will eventually execute a PowerShell script for downloading and running Trickbot. After anti-aliasing and renaming, this PowerShell script looks like this:
At the beginning of the execution, this new variant of Trickbot will sleep for 30 seconds by calling Sleep (30000) to avoid sandbox detection. It then uses the RSA algorithm to decrypt its resources for performing the malicious behaviour. We can see that, like the previous version, this new variant will also copy itself and its cryptographic module to C:\Users\%USERNAME%\AppData\Roaming\msnet.
It’s worth noting that this new variant also disables and removes the Windows Defender service with the following command (the third is a PowerShell command to disable real-time monitoring of Windows Defender):
TrickBot was originally a Trojan virus that targeted the bank and spread it with botnets such as Necurs. With the popularity of cryptocurrency, it has also turned its attention to the cryptocurrency trading platform, and at the same time targeted some different currencies.
From the new variants analysed by the Cyber bit team, TrickBot is still being developed, and its execution process is very similar to the Flokibot Trojan, which seems to reveal some code shared between the two Trojan viruses. Also, we have seen that this new variant of TrickBot will disable and remove the Windows Defender service to evade detection, which will undoubtedly expose the victim to a broader range of potential threats.