Morphisec Cybersecurity Blog

Trickbot and Emotet Delivery through Word Macro

Written by Alon Groisman | September 16, 2020 at 4:00 PM

The Morphisec Labs team has prevented on our customers’ sites a massive Trickbot and Emotet phishing campaign during the 10th and 11th of September. Trickbot is one of the most advanced malware frameworks active today; it constantly evolves with more innovative methods to achieve its goals.

The Emotet banking trojan is also especially dangerous, and is currently the subject of increased activity around the world after nearly five months of silence. Governments in France, Japan, and New Zealand have all issued warnings about Emotet in recent weeks; this emphasizes the danger of the trojan.

We’ve written about Trickbot malware previously -- most recently in February when it received an upgrade focused on Windows 10 -- and have tracked its evolution for some time. This latest phishing campaign shows both Emotet & Trickbot using similar droppers and phishing documents.

Technical Details

Word Macro:

The target of a phishing attack will receive the following document with an embedded image that hides important text. This “important text” represents part of the attack.

Figure 1: The document with the obscured text.

Figure 2: The hidden text exposed

When increasing font size and changing the color (initially the text is in white, which is a known way to hide code), we can see that the threat actor uses “Lorem ipsum” dummy text and the following strings in between:

  • C:\Users\Public\
  • winmgmts:Win32 Process
  • Rundll32
  • Certutil -decode
  • c echo (not used by Macro)
  • Base64 long string

Figure 3: Code strings

Figure 4: The macro text in Word.

The VBA Macro:

The VBA macro is very minimalistic and without obfuscation in order to not trigger noisy vendors.

Figure 5: The macro

The macro execution is triggered on Document closure.

The Button_Click2 function extracts text from the Word content by paragraph line number (ActiveDocument.Paragraphs). The function gets two parameters that represent the paragraph line number and how many characters the string contains.

The values that are retrieved directly from the text as described previously:

  • STP - C:\Users\Public\Ksh1
  • Ms13 - WMI object (winmgmts:Win32_Process)
  • One - Certutil -decode
  • Two - Rundll32

After getting all the necessary values from the Word content, all the non-encoded strings are deleted (ActiveDocument.Range(Start:=0, End:=3561).Delete). This complicates reverse engineering and non advanced forensic tooling as the document will not be of any good after its first execution.

At that point, the encoded Base64 is saved into text files with an xls and doc extension by utilizing a SaveAs2 wrapper function – SaveAs3. In our case it was C:\Users\Public\Ksh1.xls and C:\Users\Public\Ksh1.doc respectively.

Figure 6: The encoded Bas64 is saved into text files.

The next stage is executed by utilizing the Create method of the WMI Process class to initiate a new process, which is described by the command line parameter (in our case it's the Task parameter).

The method is executed twice:

  • Execution of a Certutil process, a known way to utilize windows processes to encode and decode base64 text, used to decode the base64 encoded dll downloader that will be added a .pdf extension; Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf.
  • Execution of the decoded dll by using Rundll32 with “In” as the exported function. In other cases we identified similar dlls with modified export name and a slightly different functionality dropping emotets (will be described in the next section)

A delay of six seconds is introduced between the calls through the utilization of the Sleep function.

Figure 7: Trickbot downloader

Trickbot Downloader:

The Trickbot downloader is a very thin 12kb dll that masquerades under a pdf file extension (as described above).

It implements 3 functions;

Generating the Trickbot directory:

Figure 8: Generating the Trickbot directory

Downloading the Trickbot/Emotet or other payloads exe/dll:

Figure 9: Downloading the payload

Executing the Trickbot exe/dll:

In some cases it utilizes regsvr32 for the execution of the downloaded dlls.

Figure 10: Executing the Trickbot exe/dll

Conclusion

Trickbot & Emotet are two of the most damaging trojans active today. These phishing attacks further indicate this truth, and showcase the ability of threat actors to circumvent detection-centric solutions through innovative methods.

Morphisec customers can remain confident that they are protected from these two trojans through the application of our patented moving target defense technology.

IOCs

Documents:

6DBDD1EFCAB25EAAEC2217E9BCBF0718

C773128BFE2A0B16CC892D89A1A46DA6

Trickbot Downloader:

97905289B5C3B70769C8EDC70C9CB663

13EE7F7D24B46810BC244BA0423DC88A

Trickbot Downloader Patterns:

Rundll32 C:\Users\Public\Ksh1.pdf,In

Rundll32 C:\Users\Public\4s1d.pdf,Bi

Trickbot Download URL:

hxxp://178.62.19[.]66/campo/v/v

hxxp://178.62.19[.]66/campo/a/a

Trickbot execution patterns:

C:\Users\Public\cs5.exe

C:\Windows\System32\regsvr32.exe /i C:\Users\Public\m2n\m2n.dll

Trickbot Malware:

5ec3fca3f0fa3232c85ace8ea62056223149452b70bee259706984e2c96e1998

Trickbot config:

L1 c2’s

103.130.114[.]106:449

103.221.254[.]102:449

103.36.48[.]103:449

103.87.169[.]150:449

107.174.196[.]242:443

110.232.249[.]13:449

112.109.19[.]178:449

121.101.185[.]130:449

158.181.155[.]153:449

177.190.69[.]162:449

180.211.170[.]214:449

180.211.95[.]14:449

183.81.154[.]113:449

185.164.32[.]214:443

185.164.32[.]215:443

185.205.209[.]241:443

186.159.8[.]218:449

187.109.119[.]99:449

194.5.249[.]174:443

195.123.240[.]252:443

195.123.241[.]187:443

195.123.241[.]90:443

198.46.198[.]139:443

200.116.159[.]183:449

200.116.232[.]186:449

212.22.70[.]65:443

220.247.174[.]12:449

27.147.173[.]227:449

36.94.33[.]102:449

45.127.222[.]8:449

45.138.158[.]32:443

45.148.120[.]195:443

5.149.253[.]99:443

5.34.178[.]126:443

51.89.177[.]20:443

82.146.46[.]220:443

86.104.194[.]116:443

88.247.212[.]56:449

92.62.65[.]163:449

Pwgrab:

<mcconf><ver>1000513</ver><gtag>da6</gtag><servs><srv>51.89.177[.]20:443</srv><srv>194.5.249[.]174:443</srv><srv>107.174.196[.]242:443</srv><srv>185.205.209[.]241:443</srv><srv>82.146.46[.]220:443</srv><srv>5.34.178[.]126:443</srv><srv>212.22.70[.]65:443</srv><srv>195.123.241[.]90:443</srv><srv>185.164.32[.]214:443</srv><srv>198.46.198[.]139:443</srv><srv>195.123.241[.]187:443</srv><srv>86.104.194[.]116:443</srv><srv>195.123.240[.]252:443</srv><srv>185.164.32[.]215:443</srv><srv>45.148.120[.]195:443</srv><srv>45.138.158[.]32:443</srv><srv>5.149.253[.]99:443</srv><srv>92.62.65[.]163:449</srv><srv>88.247.212[.]56:449</srv><srv>180.211.170[.]214:449</srv><srv>186.159.8[.]218:449</srv><srv>158.181.155[.]153:449</srv><srv>27.147.173[.]227:449</srv><srv>103.130.114[.]106:449</srv><srv>103.221.254[.]102:449</srv><srv>187.109.119[.]99:449</srv><srv>220.247.174[.]12:449</srv><srv>183.81.154[.]113:449</srv><srv>121.101.185[.]130:449</srv><srv>200.116.159[.]183:449</srv><srv>200.116.232[.]186:449</srv><srv>103.87.169[.]150:449</srv><srv>180.211.95[.]14:449</srv><srv>103.36.48[.]103:449</srv><srv>45.127.222[.]8:449</srv><srv>112.109.19[.]178:449</srv><srv>36.94.33[.]102:449</srv><srv>110.232.249[.]13:449</srv><srv>177.190.69[.]162:449</srv></servs><autorun><module name="pwgrab"/></autorun></mcconf>