TrickBot

Variations include malware traps to safely ingest and sequester potential malware files or sinkholes to redirect traffic from malicious domains to defender-controlled servers, severing the connection between compromised machines and attacker command-and-control infrastructure.

Trickbot was a sophisticated, modular, multi-functional suite of malware tools which ... (d) used the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts at financial institutions

TrickBot-infected Windows computers will ask for the victims' online banking mobile phone numbers and device types to prompt them to install a bogus security app.

Upon execution it installs itself as a cron job, determines the public ip for the host and then begins to beacon via DNS queries to its C2 server.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."

Several entries explicitly mention malicious macros embedded in Office files, including 'FIN4 has used spearphishing emails containing attachments ... with embedded malicious macros,' 'FIN8 has distributed targeted emails containing Word documents with embedded malicious macros,' and 'TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware.'

Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.

Upon execution it installs itself as a cron job, determines the public ip for the host and then begins to beacon via DNS queries to its C2 server.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Trickbot was a sophisticated, modular, multi-functional suite of malware tools which ... (d) used the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts at financial institutions

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

The sample also has a Windows version of the malware embedded inside that it can install on remote windows shares and then execute as a service.

Stuxnet uses a driver registered as a boot start service as the main load-point.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.' | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.

Upon execution it installs itself as a cron job, determines the public ip for the host and then begins to beacon via DNS queries to its C2 server.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Thread Local Storage (TLS) callback injection is a technique that entails manipulating pointers within a portable executable (PE) to redirect a process to malicious code before it reaches the code’s legitimate entry point.

Trickbot was a sophisticated, modular, multi-functional suite of malware tools which ... (d) used the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts at financial institutions

The sample also has a Windows version of the malware embedded inside that it can install on remote windows shares and then execute as a service.

Stuxnet uses a driver registered as a boot start service as the main load-point.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.' | Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Thread Local Storage (TLS) callback injection is a technique that entails manipulating pointers within a portable executable (PE) to redirect a process to malicious code before it reaches the code’s legitimate entry point.

Trickbot was a sophisticated, modular, multi-functional suite of malware tools which ... (d) used the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts at financial institutions

The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.

Agent Tesla has used ProcessWindowStyle.Hidden to hide windows. APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. APT28 has used the WindowStyle parameter to conceal PowerShell windows.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

Given that the trickbot family has a history of harvesting putty credentials ... we see how this can be used to further propagate with in the victims network.

The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content notes checks for whether the current user is an administrator or privileged, including 'AsyncRAT can check if the current user of a compromised system is an administrator,' 'Gelsemium has the ability to distinguish between a standard user and an administrator,' and 'Wizard Spider has used whoami to identify the local user and their privileges.'

anchor_dns is instead replaced with anchor_linux and the uname command is utilized to determine the hostname and linux version.

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

Examples include 'Caterpillar WebShell can obtain a list of user accounts from a victim's machine,' 'DRATzarus can obtain a list of users from an infected machine,' 'Woody RAT can retrieve a list of user accounts and usernames from an infected machine,' and 'TrickBot can identify the user and groups the user belongs to on a compromised host.'

Trickbot was a sophisticated, modular, multi-functional suite of malware tools which ... (c) infected other computers connected to the victim computer

it also contains support for windows execution via smb shares and IPC. The sample also has a Windows version of the malware embedded inside that it can install on remote windows shares and then execute as a service.

The malware is also especially dangerous as it can propagate throughout enterprise networks

The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.

What may be more helpful, though, is the BazarBackdoor APIs and TrickBot command and control server source code that was released, as there is no way to access that info without having access to the threat actor's infrastructure.

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

Upon execution it installs itself as a cron job, determines the public ip for the host and then begins to beacon via DNS queries to its C2 server.

APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.

Currently, this Emotet sample receives three commands from the C&C server: Command ID 01: Downloads an executable file and executes it ... Command ID 03: Downloads a module/plugin, loads it and calls to its main function

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.

While active, Trickbot malware, which acted as an initial intrusion vector into victim computer systems, was used to support various ransomware variants, including Conti.

The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.