MDR Vs. The TrickBot Gang

About a year ago, Cybereason's Managed Detection and Response team (aka MDR) stumbled upon a attack involving Russian cybercriminals, POS devices and an entire new family of previously undiscovered malware.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

“[Niv] We saw that the attackers successfully deployed the attack framework on the targeted machines. [. . .] So the attackers could gain access to the supposed systems of the victim and steal his personal credit card’s data which could become a serious breach.”

In this episode of our show, you’ll be hearing from three security experts–two members of Cybereason’s Managed Detection and Response team, or “MDR,” and one member of Cybereason’s Threat Research team. They’ll be telling the story of a malicious campaign they stumbled upon last year involving Russian cybercriminals, POS devices, and an entire new family of previously undiscovered malware.

In Malicious Life, we usually follow these kinds of stories in their logical order – first you uncover the threat, then investigate it and finally attempt to combat the attack. In this episode, however, we’ll do something a bit different.

“[Eli] My name is Eli. I’m a security analyst and a threat hunter at Cybereason for the last two years.”

“[Niv] I’m Niv. I’m working in Cybereason for the past there and a half years. I’m Practice Director in the Global Services Team today.”

“[Lior] I’m Lior and I’m a senior threat researcher, the Nocturnus team in Cybereason specialized in malware analysis, threat hunting, and open source intelligence.”

INITIAL DETECTION

“[Niv] So our MDR is based on the Cybereason product. We have sensors that are installed on millions of endpoints around the world and what gives the visibility to perform wide research across different countries. In every office, we have analysts and threat hunters with wide experience coming from offensive and defensive world. The analysts perform triaging Cybereason and perform deep dive analysis is in the investigation screen. And we also monitor tweets, blogs, and security researchers in the open source intelligence and looking proactively for those friends on the customer’s environment.”

“[Eli] So MDR is Managed Detection and Response. It’s something we offer to our customers. It’s 24/7 threat detection and response capabilities that I believe they are usually remotely. What the team is doing is investigating and responding to every threat that is found by the Cybereason platform.”

About a year ago, the MDR experts were watching an attacker, as he or she were trying to hack into a client’s network. Here’s Eli and Niv.

“[Eli] We can actually see what the attacker is typing in real-time. [. . .]  We could actually see just from looking at the interactive shell, we could know what the attacker is looking for, what the attacker wants, what he already knows, what he wants to know. And we were able to know at what stage he is – we actually reverse engineered the mind of the attacker at that point just by looking at the interactive shell.”

Who was this mysterious hacker, how did they infiltrate the vendor’s network – and what kind of information were they after? Well, one way of answering these questions is by examining the tools used by the attackers.

“[Eli] And during our advanced analysis, we discovered an interactive shell on the victim’s machine.”

The hacker was running a web shell on their target systems. The tool they chose was “Cobalt Strike”–a name well-known to security professionals. Cobalt Strike is actually a perfectly honest piece of software, designed to act as a penetration testing tool. But it’s also known to be used by hackers, as a way to load shellcode onto a victim’s machine.

Why would an attacker use such a well known software? One possible option is that our hacker was a script kiddie, using an off-the-shelf tool because it’s easy and they don’t really know what they’re doing. This, however, wasn’t the case this time. For reasons we’ll get to shortly, MDR knew they were probably facing a very dangerous and sophisticated foe – one that knew exactly what they were doing. There was a method to the madness.

“[Niv] So in the past research that we did, we saw that a lot of threat actors and APTs are using tools like Metasploit and Mimikatz and like known tools that’s usually are in use by pen-testers. And what we found is that these threat actors are trying to evade detection like they don’t want to get attribution to their group because they use and open source tool that anyone can download.

So I guess this is a smart move from them, like at least at beginning of their entry – in the entry level to the environment just to see if they are caught at all. And then they can download their own internal tools and do their own stuff.”

You know those Nigerian scam emails? “I’m a prince and if you’d only send me $100,000 I can repay you 100 times over.” These scammers don’t want you to reply. They’re designed to attract only the most gullible people on Earth. The kind of people who would actually pay that $100,000.

Similarly, the reason to use Cobalt Strike is to suss out whether your target is the kind of target that could catch an average hacker. If they don’t spot your obvious tell, it’s an easy score–they’re definitely not going to pick up on all the more advanced stuff you’re going to do next. If they do spot it, it’s no problem–the software is generic enough that you could be any hacker. There’s no fingerprint.

So to figure out the attacker’s identity, we’ll have to take a step further back in time, and ask – how did the web shell end up on the victim’s machine in the first place? It turns out it was downloaded to the machine by another malware, of a type known as a ‘Dropper’: a malicious software designed to download and install other malicious software on a targeted system.

The said dropper was of particular interest. It was somehow both familiar, and unrecognizable. Here’s Lior.

“[Lior] we started to scroll back and see where it all started. We start to see like the similarities with TrickBot. And the TrickBot is usually referred to as the banking trojan but it’s actually more than that. TrickBot is a modular information stealer that has a wide range of capabilities for data theft and reconnaissance.”

TrickBot is not a new malware: it was created in 2016. But due to its sophistication, modularity and constantly evolving nature – it’s still considered a major threat to corporate networks. But this particular software, although it was very similar to TrickBot – wasn’t TrickBot.

“[Lior] but it was a different malware and was used for a different purposes.”

In October 2019, NTT Security identified a TrickBot variant, and named it “Anchor_DNS”–“Anchor” because the malware authors had used the word, and DNS for how it leveraged the internet’s Domain Name System.

Though Anchor_DNS had only been discovered one month prior, Lior was now looking at a new variant.

“[Eli] Lior’s team was the team that was responsible to actually reverse engineer the malware and to understand the true nature of this malware and the potential capabilities, which we couldn’t see at the first encounter when we saw the malware.”

The primary strength of this Anchor_DNS was its ability to completely evade conventional security detection mechanisms. It used two, primary methods. First: DNS tunneling.

“[Lior] DNS tunneling is basically like an exploit of product DNS protocol that can be used to transfer data and to communicate with other machine.”

DNS Tunneling

A quick refresher on DNS: when two computers wish to communicate over the internet, they need to know each other’s IP addresses. An IP address is basically just a bunch of numbers, and so not so easy for us, humans, to remember – which is why we use domain names, such as malicious.life.

DNS – short for Domain Name System – is the system used for translating such a domain name into an IP address that the computer can actually use. The way it works is that when you type in your browser address bar ‘malicious.life’, the browser sends a query to designated DNS servers – which ultimately return the IP address of malicious.life. DNS queries are fairly simple and common, which is why for many years security experts were mainly focused on other more easily exploitable protocols – such as FTP, for example – which were considered more dangerous.

However, as is often the case, the crooks found a way to abuse these DNS queries – and use them as communication channels for Command & Control over their botnet, or even as a way to transfer substantial amounts of data, such as data exfiltrated from a compromised network. They first register a domain name – say, for example, evil.com – and then set up a DNS server to point to that domain. When a malware hijacks a victim’s computer, it crafts a DNS query looking for ‘evil.com’, and the global DNS system – as it should – passes this query to the DNS server set up by the malware’s controller. But this specially crafted DNS query contains, in this case, more than just a simple request for an IP address: the malware can encode or ‘hide’ in the query all sorts of other data, such as details about the compromised machine. This ‘hiding’ of extra data in the query is what is usually referred to as ‘Tunneling’.

“[Lior] It’s usually less trivial to analyze and it’s more advanced because a lot of organizations don’t really filter DNS communication and the protocol itself.”

In addition to DNS tunneling, Anchor_DNS used an even better trick.

“[Lior] the Anchor is executable, basically demands flags that will operate properly.”

A “flag”–or “option,” or “switch’–is simply a means of modifying a command line operation: like if you would type ‘ls’ in your terminal window, it would display the list of files and folders in your current directory, but if you would add the ‘-?’ flag it would instead display the help file on how to use the ‘ls’ command. In Anchor_DNS’s case…

“[Lior] If you don’t supply the right flags or don’t supply any flag, the executable role will simply not run. And then security solutions and the sandboxes will basically don’t – will not detect it. This actually allows the Anchor malware to stay under the radar and to have a very low detection on VirusTotal. And yeah, it also makes the manual analysis a bit harder because we need to know which flags we need to provide to the executable in order to run. And if you don’t have the flags, you can’t run the malware.”

The TrickBot Gang

The attackers included other stealth mechanisms in addition to DNS tunneling and command line flags, including stack strings, string encryption, and more. The sophistication of the new malware, and an abundance of other signs – pointed to a clear suspect: the TrickBot Gang.

“[Lior] So we can’t talk about TrickBot without first talking about the TrickBot gang, which is one of the biggest cybercrime groups operating in the world today. The key members are thought to be Russian speaking and they are financially-motivated group and they are involved in a wide range of cybercrime activity. The gang has an ecosystem and partnership with other threat actors. They rent access to their infrastructure and infected host to other threat actors in order to increase their revenue. The most known tool for the gang is the TrickBot which also gave it it’s nickname.”

It’s a sign of just how notorious TrickBot is that threat actors have purchased it off of TrickBot Gang. One of TrickBot’s best customers, for example, is the Lazarus Group of North Korea–the perpetrators of the Sony Pictures hack in 2014, and Wannacry.

“[Lior] When is observed in 2016, TrickBot was mainly used against individual users to steal financial information. And around 2017, 2018, the TrickBot gang shifted into targeting organizations and performed larger hacking operations. In order to do so, they had to expand their arsenal. And they introduced new tools.”

When TrickBot Gang graduated to bigger, better targets, they built bigger, better versions of TrickBot – and this was one of them. But that wasn’t all.

“[Lior] we noticed that there were no – there were two main variants, not just one.”

The dropper came with another malware–this one even stranger than the last.

“[Lior] so when we first started to investigate the binary, we noticed a PDB path embedded into it, which contained the name on Anchor DNS.”

This program had “Anchor” in it, but it lacked any DNS component. In fact, it lacked just about everything that made Anchor_DNS so tricky.

“[Lior] that was sort of like a test variant because it was not obfuscated, barely any like advanced techniques. [. . .] We started to investigate what is its name and searched for other samples with the same name. [. . .] We started to see that there are a lot of samples that are basically undetected in VirusTotal and by different security solutions. And we understood that there is something much bigger than just one or two samples here. [. . .] This made us realized that this is a part of a bigger and undiscovered family that actually stayed under the radar for almost two years.”

This wasn’t new malware, it was a new malware family–one which had completely evaded detection, by the entire security community, for years.

Phising

The last piece of the puzzle – or rather, the *first* piece, since this was actually the first step of the attack – was sneaking the new dropper into the victim’s network. How did the TrickBot gang manage that?

“[Niv] Our MDR service is monitoring alerts from all over our services customers. And in one of the shifts, we noticed a malicious phishing attack which is something that we used to see in our day to day and it’s not something that is special from this threat actor.”

A phishing attack, on its own, might not be very interesting. It’s what a phishing email is hiding that interests threat defenders.

The malicious link included in the email directed to a file hosted on Google Docs. Once clicked, the user is brought to a seemingly legitimate Google window, which purports to be hosting a Microsoft Word document titled “Annual Bonus report.” Pretty sly, huh? Who wouldn’t want to view their annual bonus?

Of course, you can’t actually view the document–there is no document. If you click on the download link, a window pops up indicating that the user should update their version of Microsoft Word, or try opening the document from a different computer.

Meanwhile, a malware dropper is downloading onto their machine.

“[Eli] We also managed to see an additional downloaded legitimate files that can be used for malicious purposes such as reconnaissance and lateral movements that the attacker bolted to the machine.”

So let’s zoom out and view the whole attack chain. There’s Cobalt Strike, the interactive web shell that the hacker was using to probe the victim network. Cobalt Strike is pretty generic, and so useful to avoid attribution of the attack. However, It was ‘dropped’ into the target machine by malware which is an advanced and evolved version of TrickBot – a well known Banking Trojan, tied to the TrickBot gang. And all this began with a simple phishing email…

“[Eli] a very common type of attack.”

There’s a lesson here.

“[Eli] So we can see that sophisticated threat, sophisticated threat actors are still using traditional ways such as phishing as their main infection vector and they usually deliver what’s called a commodity malware such as TrickBot. But we also see that commodity malware are transforming into a threat loader to deliver their tools and payload such as TrickBot which is a commodity malware but can be also a threat loader as we see in this case.

One of our insights is to not ignoring commodity malware since it has the potential to transform into a full hacking operation and cause substantial damage for enterprises.”

This insight – not ignoring the simple things like phishing emails and commodity malware – is what allowed the MDR team to lay a reverse trap for the TrickBot gang.

“[Niv] So from the behavior that we analyzed within the alerts, we saw that the attacker’s motivation was stealing sensitive information from the customer environment. So they try to take over the control over critical assets in the victim’s network and their target was that whole system.”

Epilogue

It became clear what the hackers were after, because they were aiming their malware at point-of-sale systems.

“[Niv] the goal and motivation of these attackers was to steal information and especially financial information.”

If successful, the hacker would have had their hands on not just vendor systems, but plenty of stored credit card data from customers.

“[Niv] Luckily, the team detected this in real time and responded very quickly to the alert.”

“[Lior] We actually worked with well with the investigation whether targeting the US system and stealing credit card data.”

“[Niv] that resulted in prevention of the attack and the dual-door mediation that was needed to the customer environment.”

The attack was stopped. But TrickBot Gang remains alive and well. They’ll surely be back again–probably with a newer, better malware next time.

Will there be experts around to stop them?