Soon after being found to have worm-like spreading capabilities, the TrickBot banking Trojan has expanded its attack surface to target Outlook and Web browsing data.
While TrickBot has been an active threat for less than a year, its developers, supposedly the Dyre group, have been actively adding new capabilities to it. Earlier this year, they expanded the target list to hit private banking and payment processors, in addition to CRM providers.
Independent researcher and programmer Hasherezade now reveals that the malware authors have added new modules to their creation and might have also added new developers to its team. A newly observed Outlook.dll module, for example, is written in Delphi, unlike most of the components, which are written in C++.
The security researcher says that the current run comes with 5 modules: SystemInfo.dll and loader.dll (injectDll32), which have been observed in TrickBot since the very beginning, mailsearcher.dll, added in December 2016, and two modules that haven’t been observed before, namely module.dll and Outlook.dll.
According to Hasherezade, module.dll/importDll32 is written in C++ and compiled with Qt5 and OpenSSL. It also incorporates SQLite. The compilation timestamp suggests it was written in May 2017.
The module was designed to steal data from the browsers, including Cookies, HTML5 Local Storage, Browsing History, Flash LSO (Local Shared Objects), and URL hits, among other info. The module is bulky and doesn’t hide its intentions.
“In contrary to loader.dll/injectDll, which is modular and stores all the scripts and targets in dedicated configuration files, module.dll/importDll32 comes with all the data hardcoded. For example, we can find inside the binary a very long list of targets – websites from countries all around the world – France, Italy, Japan, Poland, Norway, Peru and more,” the researcher reveals.
The module creates a hidden desktop and uses it as a workspace to open and fingerprint browsers in such a way that the user isn’t aware of the malicious activity.
Written in Delphi, the Outlook.dll module contains a hardcoded configuration that follows a pattern typical for TrickBot modules. Designed to steal data saved by Microsoft Outlook, the module opens relevant registry keys, then attempts to retrieve saved credentials.
“TrickBot’s new modules are not written very well and they are probably still under development. The overall quality of the design is much lower than the quality of the earlier code. For example, module.dll is bulky and does not follow the clean modular structure introduced by TrickBot before. Also, they make use of languages and libraries that are easier – Qt instead of native sockets for module.dll, Delphi language for Outlook.dll,” Hasherezade points out.
The findings are in line with Flashpoint’s report last week, which revealed that TrickBot’s authors were working on implementing a worm module to abuse the Server Message Block (SMB) protocol to spread locally, but that the logic to randomly scan external IPs for SMB connections wasn’t yet ready.
The changes suggest that new members were added to the TrickBot development team, but that some of them are lower quality programmers, or that the team is only experimenting with new capabilities. “TrickBot is still actively maintained and it is not going to leave the landscape any soon,” Hasherezade concludes.
