TrickBot Attack Chain: Deconstructed & Mitigated

TrickBot is one of the most prevalent and effectively used malware threats today. This blog will deconstruct the TrickBot attack chains, identify the MITRE ATT&CK techniques leveraged, and explain how to mitigate these threats.

Trickbot Overview

Trickbot (also known as TrickLoader, Trickster) is a banking trojan which first appeared in late 2016 and was seen in our labs in early 2017. TrickBot initially appeared to be very similar to Dyre, an earlier malware strain which, in turn, was closely linked to the Zeus malware family. So, Trickbot is the latest in a long line of banking trojans that have evolved over more than a decade.

The early versions of TrickBot were technically effective, however, limited in attack scope as they only focused on a subset of regional banks in the US. As with most banking trojans, TrickBot maintains a list of target websites, which it intercepts and manipulates to capture information and misdirect transactions.

Over time, the TrickBot malware has continued to evolve to target an ever-changing list of online banks. The malware has also incorporated new functionalities, including:

• Email and browser data theft
• Cryptocurrency theft targeting coinbase.com
• EternalBlue exploit for lateral movement
• Active Directory database theft module “ADll”
• Real-time config via Command and Control Server (C2)
• Disabling security controls
• Encrypting data (Ryuk malware)

TrickBot has not only become a highly capable banking trojan, but thanks to its stealthy modular components, it is also being used for active reconnaissance, data exfiltration, lateral movement, and ransomware delivery. This represents part of a growing trend towards threat actors establishing widespread compromise of a network, then selling the backdoor access to the highest bidder.

The most common distribution method for TrickBot is Microsoft Office files (almost always Word documents containing malicious macros) via email. This method requires interaction from the user to enable content in the document to run. To ensure that the user enables the content, various social engineering tactics are used. The most common social engineering tactic TrickBot leverages at this stage is claiming either that Office has been updated or an upgrade is required and the user must enable editing and content to complete the update. Other, less common, variants use fake invoices or UPS delivery notes.

Here’s the simple sequence of attack chain steps shown in Figure 3 below:

1. Phishing email about a property lease (German language), with attached Word document of the lease agreement
2. User opens the Word document
3. Content in the document socially engineers users by claiming they need to enable macros to activate Word.
4. Once enabled the macro will drop a script file (.cmd) to disk and launch the Windows Command Processor to execute the script.
5. Windows Command Processor is then used to download and launch the main malware payload from a web server.

How TrickBot relies on admin account abuse

TrickBot depends on administrator privileges to embed itself within the operating system, disable antivirus controls, steal credentials, and perform other nefarious activities. TrickBot can only succeed if the user has administrative rights.

We have observed Trickbot using a couple of different UAC bypass techniques to silently elevate the malwares privileges without alerting the usage. UAC bypasses typically exploit trusted Microsoft applications that are allowed to elevate their privileges without triggering a UAC authorization message for the end user.

Let’s dive into how TrickBot uses a combination of native Windows applications and the user’s administrator privileges to silently relaunch itself as a privileged process on the system.

Technique 1: Features On-Demand Helper (Fodhelper.exe) UAC Bypass

MITRE Technique: T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control

Features On Demand Helper (Fodhelper.exe) is an application that is included in the Windows OS. When a user launches Fodhelper.exe the application checks for and executes commands stored in the following registry entries:

HKCU:\Software\Classes\ms-settings\shell\open\command

HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute

HKCU:\Software\Classes\ms-settings\shell\open\command\(default)

By default, these registry entries do not exist however they are in a user writable part of the registry. This means that Trickbot can write a command to launch itself into these registry entries. Then TrickbBot launches Fodhelper.exe which as an approved Microsoft application is elevates to run with a high level of privilege without triggering a UAC prompt for the end user, this, in turn, executes the command in the registry entry launching Trickbot with the same level of privilege without alerting the user.

Technique 2: Windows Store cache (Wsreset.exe) UAC Bypass

MITRE Technique: T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control

During early 2020, Trickbot also started exploiting a second UAC bypass using the more recently discovered Wsreset.exe bypass. This is similar to Fodhelper.exe in that it is installed in Windows by default and trusted to elevate without prompting the user. Just as with the previous technique, when launched, Wsreset.exe will read and execute commands from a user writable registry key, allowing an attacker to silently elevate their payload. This time the key is stored:

HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command

Once Trickbot has gained elevation via a UAC bypass it now has the administrator privileges required to make significant changed to the system. It uses these to great effect by disabling ITsecurity settings and tools. Let’s have a look at what is does and how it does it.

Technique 3: Disabling Security

MITRE Technique: T1562.001 - Disable or Modify Tools

Since 2019, Trickbot has included capabilities to disable the services and processes associated with common cybersecurity tools such, as AV. This is a fairly common Defense Evasion tactic to reduce the risk of being discovered and to lay the groundwork for future payloads. TrickBot’s primary target is Windows Defender and many of the native protections that it enables for the Windows operating system.

Using a combination of registry entries and PowerShell commands TrickBot will attempt to disable many Windows Defender protections including:

• DisableBehaviorMonitoring: Disables behavior monitoring in Windows Defender
• DisableOnAccessProtection: Disables scanning when you open apps or files
• DisableScanOnRealtimeEnable: Disables process scanning protection
• DisableIntrusionPreventionSystem: Disables network protection for known exploits
• DisableScriptScanning: Disables the scanning of scripts
• DisableIOAVProtection: Disables scans of downloaded files and attachments

Once these controls are disabled, the attacker will be able to further extend their foothold on the system and introduce new payloads, without risk of detection.

TrickBot also uses the Image File Execution Options registry key to attach a fake debugger to a number of AV and IT security tools. When Windows attempts to launch the security tool, the fake debugger application will be launched first, as it is fake and does not exist, the security tool will fail to launch. This is an elegant way to disable security tools, without having to uninstall or remove them.

At this point, TrickBot has gained initial access and execution on the system.Then it has performed privilege escalation via a UAC bypass and defensive evasion by disabling security controls and tools. Now, the malware effectively owns the system and can launch one of its many modules to steal data, harvest credentials, inject malicious code into banking websites, launch a ransomware payload, etc.

No privileges, no tricks

Most of TrickBot’s capabilities require the user having administrator privileges that can be exploited by the malware. This is a good example of how many organizations will undermine their investment in endpoint security tools by providing users with local administrator accounts, which can then be exploited by an attacker to disable almost any endpoint controls.

The UAC bypasses exploit users with local administrative privileges, this can be mitigated by using an Endpoint privilege management solution to remove the users’ local administrative privileges and apply more granular privileges to elevate only the tasks and tools required. MITRE calls out using Privileged Account Management to mitigate against T1548.002 by removing users from the local administrator group on systems.

The UAC bypasses shown above would be easily prevented by a robust endpoint pivilege management solution that is able to control the privileges of child processes. This would still allow the legitimate Windows application to execute and elevate without allowing malware payloads to tag along. This privilege management capability prevents the malware from easily achieving privilege escalation and, in turn, thwarts their attempts to disable security controls.

With administrator privileges removed, the attack surface is greatly reduced and we can layer on application control to prevent unknown applications, like the malware payload, from executing in the first place. When malware can’t easily execute, elevate, or evade your endpoint is far better protected.

To learn how BeyondTrust Endpoint Privilege Management dials in precise privileged access controls and stops internal and external threat actors in their tracks, watch the demo video, or visit our site.

Related Reading

How to Protect against EMOTET - “The World’s Most Dangerous Malware” (blog)

Malware Threat Report 2021 (research report)

A Guide to Endpoint Privilege Management (white paper)