Security

August 05, 2021

4 Minute Read

Trickbot Detections: Threat Research Release, July 2021

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

Criminal gangs are constantly improving their ways of delivering malicious code to victims. The delivery of this code is fundamental in order to subsequently install payloads that maximize the effect of exploitation and allows them to move laterally, and install further crimeware to quickly reap profits such as crypto mining, ransomware, data exfiltration, or even more sophisticated payloads such as banking fraud web injects. The Splunk Threat Research Team (STRT) addressed Trickbot in the July release. Trickbot is a very popular crimeware carrier (Trojan) associated with current campaigns.

Watch the video to understand how STRT has developed TrickBot detections for Splunk by using the Splunk Attack Range to collect the generated logs, and reverse engineering TrickBot examples.

What is a Trickbot?

Trickbot crimeware is a popular crimeware carrier — aka trojan — that has gained popularity in the criminal underground. Dating back to 2016, Trickbot is related to the banking malware DYREZA, which derives from the Zeus trojan. Both are incredibly effective at infecting and propagating botnets — one of the main financial drivers of the cybercriminal underground and the crimeware as a service economy. Initially focused on DDoS and Carding, botnets nowadays are mostly focused on crypto mining and ransomware. These two criminal vectors usually provide quick rewards to groups behind these botnets.

The effectiveness of trickbot crimeware comes basically in its stealthiness and versatility in installing payloads for further lateral movement and post-exploitation profit-driven activities such as cryptocurrency, ransomware, or banking fraud. STRT developed an analytic story targeting Trickbot TTPs. Also, STRT produced a whitepaper where there are further details on Trickbot modules and capabilities including the new Banking Web Injects.

Detections

The Splunk Threat Research Team has developed an Analytic Story to detect a TrickBot threat. This story is composed of the following searches:

Detection	Techniques	Tactic(s)	Notes
Detection of Office Application Spawn rundll32 Process (new)	T1566.001	Initial Access	Detects Run Dynamic Link Library 32 child process via Microsoft Office App
Detect Wermgr Process Connecting to Check IP Services (new)	T1590.005	Reconnaissance	Detects the use of Windows Error Manager executable to elicit a connection to an external service to determine the victim’s external IP address
Wermgr Process Create Executable File (new)	T1027	Defense Evasion	Detects the use of Windows Error Manager that creates executable files
Wermgr Process Spawned CMD Or Powershell Process (new)	T1059	Execution	Detects the use of Windows Error Manager to spawn a terminal session or Powershell Process
Schedule Task With Rundll32 Command Trigger (new)	T1053	Execution, Persistence, Privilege Escalation	Detects the creation of a scheduled task where rundll32.exe is used to execute or spawn another process
Powershell Remote Thread To Known Windows Process (new)	T1055	Defense Evasion, Privilege Escalation	Detects PowerShell process injection in some known windows processes
Write Executable in SMB Share (new)	T1021.002	Lateral Movement	Detects the creation of an executable targeting SMB Share
Trickbot Named Pipe (new)	T1055	Defense Evasion, Privilege Escalation	Detects the creation of a Named Pipe or inter-process communication associated with the execution of Trickbot
Plain HTTP POST Exfiltrated Data (new)	T1048.003	Exfiltration	Detects the use of the HTTP POST method to exfiltrate data
Account Discovery With Net App (new)	T1087.002	Discovery	Detects the use of a series of net commands for account discovery on the infected machine
Suspicious Rundll32 Startw (Existing)	T1218.011	Defense Evasion	Detects Rundll32 with "StartW" parameter
Office Document Executing Macro Code (Existing)	T1566.001	Initial Access	Detects MS Office that executes macro code
Cobalt Strike Named Pipes (Existing)	T1055	Defense Evasion, Privilege Escalation	Detects Common Cobalt Strike named pipes
Suspicious Rundll32 Dllregisterserver (Existing)	T1218.011	Defense Evasion	Detects Rundll32 with "dllregisterserver" parameter
Attempt to Stop Security Service (Existing)	T1562.001	Defense Evasion	Detects Security Service termination

Responding to Trickbot with Automated Playbooks

The following community Splunk SOAR playbooks can be used against Trickbot.

Name	Technique ID	Tactic	Description
Malware Hunt and Contain	T1204	Execution	This playbook hunts for malware across managed endpoints, disables affected users, shuts down their devices, and blocks files by their hash from further execution via Carbon Black.
Email Notification For Malware	T1204	Execution	This playbook tries to determine if a file is malware and whether or not the file is present on any managed machines. VirusTotal "file reputation" and PAN WildFire "detonate file" are used to determine if a file is malware, and CarbonBlack Response "hunt file" is used to search managed machines for the file. The results of these investigations are summarized in an email to the incident response team.
Ransomware: Investigate and Contain	T1204, T1486	Execution, Impact	This playbook detonates a file, and if it determines it is malicious, it blocks the hash from further execution, blocks any IPs it calls out to, hunts across your environment for other instances of the file, terminates any running executions of it, blocks any IPs it has made connections to, and quarantines affected devices.

Why Should You Care About Trickbot?

As one of the most popular crimeware carriers, trickbot is constantly being deployed and updated to avoid detection and deploy newer and more effective post-exploitation payloads. It is very likely that Trickbot will remain one of the main players in exploitation campaigns and continues to expand its use in the crime as a service market.

For a full list of security content, check out the release notes on Splunk Docs:

3.20.0 (part of May release, where the TrickBot detections first got released)
3.25.0
3.25.1
3.26.0

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the whole threat research team Jose Hernandez, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Teoderick Contreras, Lou Stella and Patrick Bareiss for their contribution to this release.

Splunk Threat Research Team

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Staff Picks for Splunk Security Reading July 2018

A selection of presentations, white papers and blog posts you might have missed in this month (or before), handpicked from the Splunk security world

Security 6 Min Read

Staff Picks for Splunk Security Reading May 2020

Check out our favorite May 2020 security-centric presentations, white papers and customer case studies from the Splunk (or not) security world.

Security 2 Min Read

Balancing Digital Advances with Security Exposure Takes 2020 Vision

Splunk has joined forces with other IT and OT security firms to charter and evolve the Operational Technology Cyber Security Alliance (OTCSA).

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk