Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

TrickBot Attack Chain: Deconstructed & Mitigated

September 30, 2021

  • Blog
  • Archive

TrickBot is one of the most prevalent and effectively used malware threats today. This blog will deconstruct the TrickBot attack chains, identify the MITRE ATT&CK techniques leveraged, and explain how to mitigate these threats.

Trickbot Overview

Trickbot (also known as TrickLoader, Trickster) is a banking trojan which first appeared in late 2016 and was seen in our labs in early 2017. TrickBot initially appeared to be very similar to Dyre, an earlier malware strain which, in turn, was closely linked to the Zeus malware family. So, Trickbot is the latest in a long line of banking trojans that have evolved over more than a decade.

The early versions of TrickBot were technically effective, however, limited in attack scope as they only focused on a subset of regional banks in the US. As with most banking trojans, TrickBot maintains a list of target websites, which it intercepts and manipulates to capture information and misdirect transactions.

Over time, the TrickBot malware has continued to evolve to target an ever-changing list of online banks. The malware has also incorporated new functionalities, including:

  • Email and browser data theft
  • Cryptocurrency theft targeting coinbase.com
  • EternalBlue exploit for lateral movement
  • Active Directory database theft module “ADll”
  • Real-time config via Command and Control Server (C2)
  • Disabling security controls
  • Encrypting data (Ryuk malware)

TrickBot has not only become a highly capable banking trojan, but thanks to its stealthy modular components, it is also being used for active reconnaissance, data exfiltration, lateral movement, and ransomware delivery. This represents part of a growing trend towards threat actors establishing widespread compromise of a network, then selling the backdoor access to the highest bidder.

The most common distribution method for TrickBot is Microsoft Office files (almost always Word documents containing malicious macros) via email. This method requires interaction from the user to enable content in the document to run. To ensure that the user enables the content, various social engineering tactics are used. The most common social engineering tactic TrickBot leverages at this stage is claiming either that Office has been updated or an upgrade is required and the user must enable editing and content to complete the update. Other, less common, variants use fake invoices or UPS delivery notes.

Figure 1: Example of a TrickBot “UPS Invoice” (MD5: 6699fdf727451b58e3071957364fb5c4)
Figure 2: Example of a TrickBot German language campaign (MD5: 4faf7bbebcbceb84a20d23c76a000bfb)

Here’s the simple sequence of attack chain steps shown in Figure 3 below:

  1. Phishing email about a property lease (German language), with attached Word document of the lease agreement
  2. User opens the Word document
  3. Content in the document socially engineers users by claiming they need to enable macros to activate Word.
  4. Once enabled the macro will drop a script file (.cmd) to disk and launch the Windows Command Processor to execute the script.
  5. Windows Command Processor is then used to download and launch the main malware payload from a web server.
Figure 3: Attack chain for Trickbot sample Jan 2020 (MD5: 4faf7bbebcbceb84a20d23c76a000bfb)
BeyondTrust Endpoint Privilege Management disrupted 150 / 150 common attack chains tested. Get the Report.

How TrickBot relies on admin account abuse

TrickBot depends on administrator privileges to embed itself within the operating system, disable antivirus controls, steal credentials, and perform other nefarious activities. TrickBot can only succeed if the user has administrative rights.

We have observed Trickbot using a couple of different UAC bypass techniques to silently elevate the malwares privileges without alerting the usage. UAC bypasses typically exploit trusted Microsoft applications that are allowed to elevate their privileges without triggering a UAC authorization message for the end user.

Let’s dive into how TrickBot uses a combination of native Windows applications and the user’s administrator privileges to silently relaunch itself as a privileged process on the system.


Technique 1: Features On-Demand Helper (Fodhelper.exe) UAC Bypass

MITRE Technique: T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control

Features On Demand Helper (Fodhelper.exe) is an application that is included in the Windows OS. When a user launches Fodhelper.exe the application checks for and executes commands stored in the following registry entries:

HKCU:\Software\Classes\ms-settings\shell\open\command

HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute

HKCU:\Software\Classes\ms-settings\shell\open\command\(default)

By default, these registry entries do not exist however they are in a user writable part of the registry. This means that Trickbot can write a command to launch itself into these registry entries. Then TrickbBot launches Fodhelper.exe which as an approved Microsoft application is elevates to run with a high level of privilege without triggering a UAC prompt for the end user, this, in turn, executes the command in the registry entry launching Trickbot with the same level of privilege without alerting the user.

Figure 4: Example of Trickbot Fodhelper UAC bypass


Technique 2: Windows Store cache (Wsreset.exe) UAC Bypass

MITRE Technique: T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control

During early 2020, Trickbot also started exploiting a second UAC bypass using the more recently discovered Wsreset.exe bypass. This is similar to Fodhelper.exe in that it is installed in Windows by default and trusted to elevate without prompting the user. Just as with the previous technique, when launched, Wsreset.exe will read and execute commands from a user writable registry key, allowing an attacker to silently elevate their payload. This time the key is stored:

HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command

Figure 5: Example of Trickbot Wsreset UAC bypass

Once Trickbot has gained elevation via a UAC bypass it now has the administrator privileges required to make significant changed to the system. It uses these to great effect by disabling ITsecurity settings and tools. Let’s have a look at what is does and how it does it.


Technique 3: Disabling Security

MITRE Technique: T1562.001 - Disable or Modify Tools

Since 2019, Trickbot has included capabilities to disable the services and processes associated with common cybersecurity tools such, as AV. This is a fairly common Defense Evasion tactic to reduce the risk of being discovered and to lay the groundwork for future payloads. TrickBot’s primary target is Windows Defender and many of the native protections that it enables for the Windows operating system.

Using a combination of registry entries and PowerShell commands TrickBot will attempt to disable many Windows Defender protections including:

  • DisableBehaviorMonitoring: Disables behavior monitoring in Windows Defender
  • DisableOnAccessProtection: Disables scanning when you open apps or files
  • DisableScanOnRealtimeEnable: Disables process scanning protection
  • DisableIntrusionPreventionSystem: Disables network protection for known exploits
  • DisableScriptScanning: Disables the scanning of scripts
  • DisableIOAVProtection: Disables scans of downloaded files and attachments

Once these controls are disabled, the attacker will be able to further extend their foothold on the system and introduce new payloads, without risk of detection.

TrickBot also uses the Image File Execution Options registry key to attach a fake debugger to a number of AV and IT security tools. When Windows attempts to launch the security tool, the fake debugger application will be launched first, as it is fake and does not exist, the security tool will fail to launch. This is an elegant way to disable security tools, without having to uninstall or remove them.

At this point, TrickBot has gained initial access and execution on the system.Then it has performed privilege escalation via a UAC bypass and defensive evasion by disabling security controls and tools. Now, the malware effectively owns the system and can launch one of its many modules to steal data, harvest credentials, inject malicious code into banking websites, launch a ransomware payload, etc.

No privileges, no tricks

Most of TrickBot’s capabilities require the user having administrator privileges that can be exploited by the malware. This is a good example of how many organizations will undermine their investment in endpoint security tools by providing users with local administrator accounts, which can then be exploited by an attacker to disable almost any endpoint controls.

The UAC bypasses exploit users with local administrative privileges, this can be mitigated by using an Endpoint privilege management solution to remove the users’ local administrative privileges and apply more granular privileges to elevate only the tasks and tools required. MITRE calls out using Privileged Account Management to mitigate against T1548.002 by removing users from the local administrator group on systems.

The UAC bypasses shown above would be easily prevented by a robust endpoint pivilege management solution that is able to control the privileges of child processes. This would still allow the legitimate Windows application to execute and elevate without allowing malware payloads to tag along. This privilege management capability prevents the malware from easily achieving privilege escalation and, in turn, thwarts their attempts to disable security controls.

With administrator privileges removed, the attack surface is greatly reduced and we can layer on application control to prevent unknown applications, like the malware payload, from executing in the first place. When malware can’t easily execute, elevate, or evade your endpoint is far better protected.

To learn how BeyondTrust Endpoint Privilege Management dials in precise privileged access controls and stops internal and external threat actors in their tracks, watch the demo video, or visit our site.

Related Reading

How to Protect against EMOTET - “The World’s Most Dangerous Malware” (blog)

Malware Threat Report 2021 (research report)

A Guide to Endpoint Privilege Management (white paper)


Photograph of James Maude

James Maude, Lead Cyber Security Researcher

James Maude is the Lead Cyber Security Researcher at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From September 28, 2021:
Remote Support v.21.3 introduces Microsoft Teams Integration, Plus Enhancements to UI & Credential Vault
From October 5, 2021:
ACSC Essential Eight Cyber Risk Controls & PAM

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.