Is "Xmaker" the new “TrickLoader”?
Overview
During November of 2015, the Dyre banking Trojan, which was very prolific at the time and targeted countless financial institutions worldwide, vanished from the wild almost overnight.
It was only during February of 2016 that the announcement was made that Russian authorities had arrested most of the gang that was operating the Dyre banking Trojan. (Reference: http://www.reuters.com/article/us-cybercrime-russia-dyre-exclusive-idUSKCN0VE2QS)
Since then, nothing was heard from the actors behind Dyre, but it has been speculated that members of the Dyre gang which managed to avoid arrest by the Russian authorities have been integrated into other cybercrime gangs.
During September of 2016 a new breed Malware has surfaced, calling itself “TrickBot”, which shares some similarities with Dyre.
Among these similarities are a similar loader, similar encryption and decryption routines, and similar structure of the configuration files. (Reference: http://www.threatgeek.com/2016/10/trickbot-the-dyre-connection.html)
However, it is lacking Dyre’s extensive Command and Control infrastructure, it’s also missing some of the modules that were present in Dyre such as SOCKS and VNC, and the coding style looks different from Dyre’s.
TrickBot still appears to be a work-in-progress, doing little to hide its presence on an infected system.
One interesting fact is that trickbot’s requests to its C2 servers contain easily identifiable User-Agent strings such as “TrickLoader” and “BotLoader”:
TrickBot’s Configuration and capability changes
During the past few months trickbot is evolving rapidly add constantly adding capabilities, targeted entities, and upgrading its version number.
Version 1000002:
Initial samples of trickbot started to surface in Virus Total at around august 2016:
Related md5s:
· 38503c00be6b7f7eeb5076c0bd071b4c
· bf621ef7e98047fea8c221e17c1837b8
· 0804499dba4090c439e580f5693660e0
· e4a8dc8fd08d4f65a68d0a40e2190c70
On the 15th of October 2016, Fidelis Threat Researcher Jason Reaves publishes an analysis of the new trickbot malware. The analyzed sample was shown to be version 1000002:
http://www.threatgeek.com/2016/10/trickbot-the-dyre-connection.html
this version included the following “modules”:
· systeminfo – responsible for grabbing system data
· injectDll32 – responsible for browser injections
The only method of injection in this version was “dynamic injects” which was implemented in a very similar to Dyre’s dynamic (“server side”) injects - https://devcentral.f5.com/s/articles/dyre-presents-server-side-web-injects
Version 1000003:
On the 24th of October 2016, Independent Researcher @hasherezade published a detailed analysis of the trickbot malware which has advanced it's configuration to version 1000003:
https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/
On the 25th of October 2016, ASERT analysts publish insights regarding the methodologies used to initially distribute TrickBot:
https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/
Version 1000005:
On the 7th of November 2016, F5 Researchers Julia Karpin, Shaul Vilkomir-Preisman, and Anna Dorfman report updates to trickbot, which advanced to version 1000005:
https://f5.com/about-us/news/articles/little-trickbot-growing-up-new-campaign-22790
The new version added new targeted entities, modified the configuration structure, and added a new method of browsers injections - static injects (AKA "redirects") which again, is very similar to Dyre’s static injects.
Version 1000007:
Version 1000007 of trickbot expanded its target list a bit more as described here: https://f5.com/about-us/news/articles/trickbot-now-targeting-german-banking-group-sparkassen-finanzgruppe-23630
Version 1000009:
On the 30th of November 2016, Version 1000009 of trickbot adds a new "mailsearcher" module:
This new module has its own configuration settings:
And its own C2 server IP address:
The main functionality of the mailsearcher module is:
· Traversal over all files in all drives in the system
· Comparing their file extensions to the following list:
· Creating an http connection with the user agent “KEFIR!”
· Sending information over that connection in the following URL format: IP-ADDRESS/GROUP-ID/CLIENT-ID/send/
(client-id information was stripped out in this screenshot)
Additionally, it changed its User-Agent header from "TrickLoader" and “BotLoader” to "Xmaker":
(client-id information was stripped out in this screenshot)
Another example of the changed User-Agent header can be seen here:
On the 5th of December 2016, Version 1000009 of trickbot adds a few more targets to its static inject ("redirects") targeted entity list. Shifting from the initial focus on dynamic injections to redirect attacks.
This is an interesting shift, as the Dyre Malware had the opposite shift while it was active (it first introduced static injections and only after it shifted to dynamic injections)
Related md5s:
· 46ffaa075dd586a6f93a4d26a2431355
· 1c8ea23e2892c4c7155c9f976c6e661d
· 26992865a2ae96ed48df8ddfc7223a13
Version 1000010:
On the 6th of December 2016, Version 1000010 of TrickBot several more previously untargeted banks in Australia and New Zealand, as well as several Singapore banks to target list – which were not previously targeted at all. This version also adds an Indian bank to the target list – again, previously not targeted at all.
Related md5:
· 52cab07e1a41e68bd2793a37ba04d270
Conclusion
TrickBot is an example of a malware which is currently in an active development mode, and is constantly changing and adding capabilities. Its Authors are clearly trying to replicate Dyre’s capabilities and structure. We suggest to keep a close eye on its evolvements and prepare ourselves to the threats that is may pose to the security of our users.