Authors: Irfan Asrar, Mehdi Ansari
TrickBOT has started off the new year with an aggressive campaign targeting North America. Spam distributing a malicious Excel document from fake domains pretending to be JP Morgan Chase and Bank of America serves as the first stage; this was seen as early as Jan 27th with peak volumes occurring around the 30th.
When the Excel document is executed, it pursues the user to enable macros and then attempts to download the TrickBOT payload. The payload is served through several compromised sites including the official website of a local law enforcement agency in Texas. On discovering the compromise, we reached out to them to let them know about the infection.
Already known for evasion and anti-debugging techniques, the authors behind TrickBOT continue to develop the malware by adding features. The new variant benefits from improved encryption techniques to protect the the PowerShell executed by the macro, and uses an updated password-stealing module. The new improvements resulted in effective evasion for the new variants as is evident by the low detection coverage when first uploaded. Figure 1 illustrates the Threat Detection Profile (TDP) of the new malware variant over the first 36 hours since being first shared publicly.
The Threat Detection Profile of the examined samples have coverage rates starting as low as 10% and it took more than 24 hours to reach 50% coverage.
Deep Learning Inspection in Action
One of the key pillars of Blue Hexagon is performing deep learning inspection to the complete network flow (both protocols and payloads jointly). This complete picture of an attack delivers very high efficacy threat verdicts and makes it harder for an adversary to evade us. The protocol models focus on inspecting “how” a threat is delivered and communicates while the payload models focus on “what” the threat looks like.
Blue Hexagon proactively detected the latest campaign of TrickBOT. Interestingly, in this threat, the protocol models correctly classified the delivery method as benign since it was being delivered from an otherwise benign website belonging to a CPA firm as well as local law enforcement website that had been compromised to host the payload. On the other hand, the payload model was very confident about the payload representing a threat resulting in the joint verdict being malicious. Our Deep Learning Introspection module also identified the payload as a new variant of the TrickBOT family. It is also worth noting that our legacy models that were trained months ago are also capable of detecting the new threat variants, despite the sophisticated evasion tactics used in the new variants.
Let’s compare how distinctive various groups of payload samples are before and after applying Blue Hexagon’s deep learning inspection. We depicted a sample of the new variant of TrickBOT, samples of the old TrickBOT family as well as some generic malicious and benign samples in a 3D projection of the feature space and the embedding space (Figure 3.1 and Figure 3.2, respectively). Feature space represents the input to our model and embedding space represents the output. From the graph we can observe that the new variant of TrickBOT is mixed with other benign and malicious samples and it is dissimilar to the samples of its own family in the feature space (Figure 3.1). However, it is well separated along with its family after applying our deep learning model (Figure 3.2). This clearly shows the robustness of our model whenever new payload variations pops up.
Figure 3.1 Feature Space Introspection Figure 3.2 Embedding Space Introspection
Future Distribution Tactics
Compared to previous campaigns, there is a distinct shift in tactics. There has always been a unique focus on European banks by TrickBOT more than North American banks, but after a few days of monitoring, we still have not seen the new campaign move into Europe. We expect the next big push will be using themes around European banks; if not, this will signal a new direction as far as business tactics go for the authors of TrickBOT.
We will continue monitoring developments. Additional details or information on this threat family can be obtained by contacting Blue Hexagon Labs.