TrickBot: Same Necurs, New Campaign

June 22, 2017

The Necurs botnet, mentioned in our blog last month, has been used as a way to spread the JAFF ransomware and, has since been spotted once again. This time it’s spreading the TrickBot banking Trojan.

The infection chain is still the same as it was with the JAFF campaign, by using an email with a PDF attachment along with a Word document (that includes macros) as a second-stage attachment to infect its victims.

Unlike JAFF, where victims were infected with ransomware and “held” for payment before their files were unlocked, victims of this campaign are infected with TrickBot, a banking Trojan, with similar attributes to the Dyre banking trojan.

Upon infecting a machine, TrickBot downloads configuration files from its C&C server, that tells it which banking sites to target.

TrickBot awaits in the shadows, to target to launch a web browser and when launched, the malware injects a DLL into the browser, effectively hijacking it and using it for whatever purpose it chooses. When the victim logs on to a specific banking site, the malware steals the user’s credentials and attempts to send them to its C&C server.

Previous analyses have shown that TrickBot C&C servers are setup on hacked wireless routers. As mentioned, this is very similar to Dyre and its infrastructure.

Tricky Attack Vector

The key point of this attack vector lies within the PDF attachments.

All code is contained inside the attached Word document and since most security solutions can’t handle attachments within a PDF: the PDF and the Word document, along with their malicious macros are allowed in.

Sandbox Evasion

Many security companies provide a sandbox as a major part of their solution. Suspicious files are executed in a sandboxed, safe environment and the results are analyzed for suspicious or malicious behaviors. Malware authors have developed a lot of sandbox-evasion tricks aimed at aborting the execution of the malware if it detects it is being executed in a sandboxed environment.

In our case, the PDF asks you to actively open the attached Word document and by doing so, applies the oldest sandbox-evasion trick in the book: user interaction.

As the sandbox environment simply executes the file it has been given and monitors its behavior, it cannot operate like a user can So, this attack will not be executed in a sandboxed environment, the sandbox will mark the file as ‘safe’ and allow it into the organization.

Final Notes

Where old-generation solutions fail, Content Disarm and Reconstruction (CDR) technology prevails. CDR is the only technology capable of scanning, analyzing, and purging document formats such as PDF and DOCM of bad code. In a CDR scenario, an attached file is carefully examined, dissected, and rebuilt from scratch, without any non-standard or non-documented attributes, values, attachments, and OLE objects. No signatures or AI-based learning is required.