Trickbot has been seen often as a payload dropped by other malware like Emotet, and has been seen dropping many payloads, most notably ransomware. But while Emotet sleeps it may be that this botnet is passing out access to other groups a la Emotet style. In the past month we witnessed a Trickbot infection lie dormant for several days before being scoped by Cobalt Strike and then left with just a Pyxie infection.

Initial infection

A Trickbot sample was run in the lab:

dmndfkle.exe|81ee8c62fff641b99f3e5ac83c575526 81ee8c62fff641b99f3e5ac83c575526 cdde976a0d485e91c9e304eeac91eab5b19126c1 4dc82acf2a736e9cbaa39b5decfa943177417ad88d995ebe7fba79d9d0579849

Upon execution the sample moved itself to:

C:\Users\user\AppData\Roaming\CmdValidate\ேதததததகககஏஏேஏேேஓோோபகபகபபபஊஊூலலலல.exe

We’ve seen the Trickbot actors use various unicode characters for some time now, we believe that the intention here is to evade security tools as many have difficulty parsing these characters and can fail to detect or even simply break while trying to parse these characters.

After an hour or so we witnessed the common Trickbot internal reconnaissance using Microsoft utilities.

During the time Trickbot was active network traffic indicated gtag man6

Locally on the system the Trickbot config file showed the following configuration.

From the infected host we saw two different processes get injected for running Trickbot and communications with the C2 infrastructure.

C:\Windows\System32\svchost.exe C:\Windows\System32\wermgr.exe

These legitimate windows executables allow Trickbot to run unhindered and undetected on the system. After the initial checkins and setting up on the host, Trickbot proceeded to do nothing but beacon for 3 days. Then out of the blue things moved on to the next phase.

Group 2 Arrives

Trickbot delivered a Cobalt Strike payload using PowerShell to inject into memory.

This Cobalt Strike payload was using the malleable c2 amazon profile.

Cobalt Strike ran a flurry of windows recon commands and this interesting AV enumeration script:

Commands ran by the attacker during Cobalt Strike session:

C:\Windows\system32\cmd.exe /C whoami /groups C:\Windows\system32\cmd.exe /C tasklist /v C:\Windows\system32\cmd.exe /C netstat -na | findstr "EST" C:\Windows\system32\cmd.exe /C systeminfo C:\Windows\system32\cmd.exe /C ipconfig /displaydns C:\Windows\system32\cmd.exe /C wmic /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathtoSignedProductExe wmic /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathtoSignedProductExe netstat -an net user net use net view /all netstat -an net user net use net view /all net view /all /domain cmd.exe /c "reg.exe save hklm\security c:\windows\temp\xqjxxkmbrx" reg.exe save hklm\security c:\windows\temp\xqjxxkmbrx cmd.exe /c "reg.exe save hklm\system c:\windows\temp\kjmohmuk" reg.exe save hklm\system c:\windows\temp\kjmohmuk cmd.exe /c "reg.exe save hklm\sam c:\windows\temp\emmbnafzjtwq" reg.exe save hklm\sam c:\windows\temp\emmbnafzjtwq net share C:\Windows\system32

et1 share net config workstation C:\Windows\system32

et1 config workstation net group "Domain Admins" C:\Windows\system32

et1 group "Domain Admins" route print net localgroup C:\Windows\system32

et1 localgroup ipconfig /all tasklist /V net share C:\Windows\system32

et1 share net config workstation C:\Windows\system32

et1 config workstation net group "Domain Admins" C:\Windows\system32

et1 group "Domain Admins" route print net localgroup C:\Windows\system32

et1 localgroup ipconfig /all tasklist /V net config workstation C:\Windows\system32

et1 config workstation nslookup -type=any %%userdnsdomain%% net config workstation C:\Windows\system32

et1 config workstation nslookup -type=any %%userdnsdomain%%

PyXie

At the same time that Cobalt activity began an additional entry point began using a combination of PyXie RAT and a Logmein signed binary used to load the RAT. For an in depth breakdown of Pyxie check out this write-up by Ryan Tracey of Cylance.

C2

PyXie C2 uses TLS to encrypt its communication so it was very helpful to have ssl interception here. Multiple ET-PRO signatures (2029084, 2029086) fired for this communication based on the certificate. C2 ip is 162.[]248[.]245[.]71 and the domain is benreat.com.

Here’s a keep alive from PyXie. Notice the referer being google.com; that wouldn’t normally arise suspicion. The user-agent string does appear to be unique as we weren’t able to validate the string. Looking at the content we see some interesting information being passed such as uptime, system name, admin or not, domain name, if in memory or on disk, godmode (system?), av check, os version, etc.

Sharphound

Sharphound was downloaded and run via PyXie.

After the initial flurry of activity Cobalt Strike fell off, PyXie continued with little beacon activity and once a day returning to dump creds via the registry.

Conclusion

We did not see a final action on objectives, based on TTP’s ransomware could have been a likely choice.

Trickbot seem to be continuing strong even in Emotet’s absence and seeing usage of PyXie is certainly new ground for infections we’ve seen. Still being able to detect default behavior can help you quickly identify and remediate malicious behavior. Trickbot C2 infrastructure is quite well known and you should treat any Trickbot infection as a potential full domain compromise.

Being able to detect Cobalt Strike and Bloodhound/Sharphound activity may just save your digital domain.

Enjoy our report? Please consider donating $1 or more to the project using Patreon. Thank you for your support!

IOCs

Pyxie Intezer

Trickbot Any.Run

dmndfkle.exe|81ee8c62fff641b99f3e5ac83c575526 81ee8c62fff641b99f3e5ac83c575526 cdde976a0d485e91c9e304eeac91eab5b19126c1 4dc82acf2a736e9cbaa39b5decfa943177417ad88d995ebe7fba79d9d0579849 192.169.6.180 ConsoleHost_history.txt|444b446dd246829db1b7b343a7d4d9ce 444b446dd246829db1b7b343a7d4d9ce 97a481c07f8ca2346f5167ae2ae0d992a8fdebf4 199969c142a625ac50364623ba43898f3db4e4ff3441f93911717ce5cd68bb0f LMIGuardianDll.dll|82df61349a9391a6cf236047c7471572 82df61349a9391a6cf236047c7471572 b8ec908cc4a0e8e406ce5d100a8f34a10fe3d064 80bd15267756343f028cbe77afe810068b0e6a36ce32f52be63f620ef5b5ed89 LMIGuardianDll.dll.dat|a82672168756becefe2dac9234ee61f6 a82672168756becefe2dac9234ee61f6 5bfc42ed380e5b9701ccaec2d2f312069ef4af11 39646dd3bf20ff74415b806cea08daa8277ccc1bb7da5df4c5bd4313ae5cd697 cmdline.txt|6d0b192efb3909556cc6452ee5336b93 6d0b192efb3909556cc6452ee5336b93 a4789b71f8382f23b39c656f797fe1c2f22e3cc8 4beed76d5848fda5c41a9705ebef9bd81278e085ed57ffacc97b188ed8979b50 51.89.115.112|443 185.141.27.225|443 151.80.212.114|443 5.182.210.178|443 188.119.113.60|443 91.235.129.199|443 185.234.72.193|443 194.5.250.200|443 185.14.29.141|443 185.99.2.197|443 185.234.72.50|443 194.5.250.201|443 108.170.61.186|443 217.12.209.159|443 185.99.2.44|443 51.89.115.108|443 164.68.120.58|443 164.132.255.19|443 148.251.185.164|443 94.250.250.69|443 94.250.249.170|443 195.123.237.105|443 190.214.13.2|449 181.129.104.139|449 181.112.157.42|449 181.129.134.18|449 131.161.253.190|449 121.100.19.18|449 202.29.215.114|449 171.100.142.238|449 190.136.178.52|449 45.6.16.68|449 110.232.76.39|449 122.50.6.122|449 103.12.161.194|449 36.91.45.10|449 103.227.147.82|449 96.9.77.56|449 103.5.231.188|449 110.93.15.98|449 200.171.101.169|449 162.248.245.71 185.206.144.40 216.189.145.132 teamchuan.com benreat.com tedxns.com 148.251.185.186|443 170.238.117.187|8082 176.119.159.147|443 178.156.202.251|443 185.99.2.152|447 203.176.135.102|8082 217.12.209.176|447 217.12.209.244|443 51.254.164.243|443 5.182.210.30|447 51.89.115.121|443 5.196.247.14|443 93.189.42.81|443 96.9.77.142|80 Mozilla/4.0 (compatible; MSIE 2.1; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)