Trickbot was first discovered in August, 2016 as a banking trojan which infected computers to steal email passwords and address books to spread malicious emails from compromised email accounts. It has developed new capabilities and techniques to trick users into executing its disguised file, and incorporated new modules in each campaign.
The same group behind Trickbot is believed to develop a new backdoor module called BazarBackdoor due to spam origin, method of operation, and code overlap analysis. Both utilize the same crypter and email chains as previous Trickbot campaigns, as well as the Emercoin DNS resolution service for C&C server communication. The disguised file here is BazarBackdoor, named after its .bazar C&C DNS domains. This is a lightweight malware aimed to evade detection. Once executed, it connects to C&C and downloads its backdoor payload to memory. The backdoor’s goal is to execute binaries, scripts, and modules, kill processes and remove itself from the compromised machine.
Behaviour
- Phishing mail w/ link (customer complaint, COVID-19 payroll report, employee termination list)
- Connects to C&C domains {word}game.bazar
- Perform fileless operation: download latest backdoor version and load into memory
- Backdoor downloads and executes the Cobalt Strike penetration testing and post-exploitation toolkit on the compromised machine
- Remains undetected by user and gains persistence by creating a Scheduled Task, Run Registry, or a Startup entry
Capabilities
- Information theft
- Stealth and fileless operation
- Backdoor commands
- Network compromise via Cobalt Strike
Impact
- Compromise system security - with backdoor capabilities that can execute malicious commands
- Violation of user privacy - gathers user credentials and steals user information
Additional Threat Reference Information
Infection Chain
Sample Spam (Customer Complaint Spam)
MITRE ATT&CK Matrix
| BEHAVIOR | TACTIC | TECHNIQUE |
|---|---|---|
| Arrives as a customer complaint, employee termination lists, or COVID-19-themed payroll reports spam mail | Initial Access | T1193 Spearphishing Attachment |
| Tricks user to open an executable file disguise as PDF or Word document | Execution | T1204 User Execution |
| Process Doppelganging into svchost.exe | Defense Evasion | T1186 Process Doppelganging |
| Creates scheduled task of the loader | Persistence, Privilege Escalation | T1053 Scheduled Task |
| Creates an autorun value in registry or Startup shortcut | Persistence | T1060 Registry Run Keys / Startup Folder |
| Potential to control the compromised machine or send gathered information to C&C server of attacker | Exfiltration | T1041 Exfiltration Over Command and Control Channel |
Available Solutions
| Solution Modules | Solution Available | Pattern Branch | Release Date | Detection/Policy/Rules |
|---|---|---|---|---|
| Email Protection | Yes | AS Pattern 5398 | May 5. 2020 | - |
| URL Protection | Yes | In the Cloud | - | - |
| Advanced Threat Scan Engine (ATSE) | Yes | 15.841.00 | April 28, 2020 | - |
| Predictive Learning (TrendX) | Yes | In the Cloud | - | Troj.Win32.TRX.XXPE50FFF035 |
| File detection (VSAPI) | Yes | ENT OPR 15.841.00 | April 28, 2020 | Trojan.Win32.TRICKBOT.TIGOCBAINS Trojan.Win64.TRICKBOT.CFI Trojan.Win64.TRICKBOT.CFJ Trojan.Win64.TRICKBOT.CFK Trojan.Win64.TRICKBOT.CFL Trojan.Win64.TRICKBOT.CFM TrojanSpy.Win32.TRICKBOT.THAOFBO |
| Yes | Smart Scan 16.520.00 | February 5, 2021 | Trojan.Win64.BAZALOADER.FAIO (NIM Compiled BazarBackdoor) | |
| Network Pattern | Yes | NCIP 1.13425.00 NCCP 1.12857.00 | August 29, 2018 | Trickbot DDI rule 2413 |
| Behavioral Monitoring (AEGIS) | - | - | - | - |
