Check Point Research analyzes TrickBot’s modular architecture and anti-analysis techniques, highlighting how TrickBot targeted customers of 60 high-profile financial and tech companies using web-injects and credential theft. The article describes key modules like injectDll, tabDll, and pwgrabc, anti-deobfuscation tricks, RC4-encrypted payloads, and LSASS-based credential dumping used to spread and exfiltrate data. #TrickBot #Emotet #Amazon #JPMorganChase
Keypoints
- TrickBot is a highly modular malware with 20+ downloadable modules and targeted operations affecting customers of 60 high-profile financial and technology brands.
- The analysis focuses on three modules—injectDll, tabDll, and pwgrabc—and their anti-analysis and evasion techniques that explain TrickBot’s persistence and reach.
- injectDll performs browser data injection (web-injects) to steal banking and credential data, with a two-phase configuration evolving from sinj/dinj (before 2020) to winj (2021) via C2.
- Web-injects are loaded from a crafted URL and mimic legitimate libraries; the second stage targets specific sites (e.g., Amazon) and exfiltrates credentials to a C2 payload encrypted by RC4.
- pwgrabc aggregates credential theft across a wide set of apps (Chrome, Edge, Firefox, Outlook, TeamViewer, OpenVPN, KeePass, etc.), enabling operators to access sensitive portals.
- Anti-deobfuscation and anti-analysis methods (including referer checks for C2 responses) demonstrate sophisticated defense-evasion techniques and deep code-level obfuscation strategies.
MITRE Techniques
- [T1056.003] Input Capture – Web Form Data – Collects information from the login action and saves the ‘ap_email’ and ‘ap_password’ fields for a C2 payload. ‘collects information from the login action and saves the ap_email and ap_password fields for a C2 payload’
- [T1059.007] Command and Scripting Interpreter: JavaScript – The payload is minified, obfuscated, and contains anti-deobfuscation techniques. ‘The payload which is injected to the page is minified… obfuscated, and contains anti-deobfuscation techniques.’
- [T1036] Masquerading – The script disguises itself as a well-known legitimate JavaScript jQuery library. ‘The name of the script disguises itself as a well-known legitimate JavaScript jQuery library.’
- [T1003.001] OS Credential Dumping – Grabs the credentials from the LSASS application memory using the mimikatz technique. ‘Grabs the credentials from the LSASS application memory using the mimikatz technique.’
- [T1210] Exploitation of Remote Services – EternalRomance exploit to spread via the SMBv1 network share. ‘EternalRomance exploit to spread via the SMBv1 network share.’
- [T1027] Obfuscated/Compressed Files and Information – The code uses obfuscation with anti-deobfuscation techniques; obfuscation level fluctuates with encryption keys. ‘minified, obfuscated, and contains anti-deobfuscation techniques’ and ‘The obfuscation level decreased when a botnet operator used a random key for string encryption algorithm.’
Indicators of Compromise
- [Domain] C2 domains – myca.adprimblox.fun, akama.pocanomics.com
- [Hash] C2/payload-related hash – 524A79E37F6B02741A7B6A429EBC2E33306068BDC55A00222B6C162F396E2736