Search

TrickBot Group Launches Test Module Alerting on Fraud Activity

Updated: Aug 8

Executive Summary

  • On July 10, 2020, according to Advanced Intelligence's Vitali Kremez, it was revealed that sandboxed TrickBot banking malware activity related to the distribution group_tag "chil48" loaded a rather newer mysterious test module, known as "grabber.dll".

  • The module version "0.6.8" is meant for browser stealer activity affecting Google Chrome, Internet Explorer, Mozilla Firefox, Microsoft Edge as well as browser cookies. The module immediately alerted the victim machine of the fraud by opening the browser with the alert message.

  • Advanced Intelligence assesses with high confidence that this module was likely a test module deployed mistakenly alerting on the malware activity during the testing phase.

  • Possible recommendations and mitigation steps include immediate disconnect and forensic investigation of the affected machines.

Background

On July 10, 2020, according to Advanced Intelligence's Vitali Kremez, it was revealed that sandboxed TrickBot banking malware activity related to the distribution group_tag "chil48" loaded a rather mysterious module, known as "grabber.dll". The module version "0.6.8" is meant for browser stealer activity affecting Google Chrome, Internet Explorer, Mozilla Firefox, Microsoft Edge as well as browser cookies.


The signed malware sample that led to the discovery was originally found by MalwareHunterTeam (@malwrhunterteam).

Discovery: New "grabber.dll" Test Module

Strangely enough, the module immediately alerted the victim machine of the fraud by opening the browser with the message:

The malware development module references a plethora of internal C++ code references such as "grabchrome.cpp." The module itself references the usual TrickBot grabber code patterns and functions.

Notably, the malware contains the detailed verbose functionality prompt:

Assessment: TrickBot Group Distribution Mistake?


Advanced Intelligence assesses with high confidence that this module was likely a test module deployed mistakenly alerting on the malware activity during the testing phase due to the typical TrickBot module code patterns. Based on our assessment, it is hypothesized If developed by an outsider coder, this test module possibly reveals the nature of the TrickBot operations as leveraging coders with hiring coders under the ruse of legitimate anti-malware activity development.


As part of the chain, Advanced Intelligence discovered another rather unusually named module "socksbot.dll." This module is meant for Socks5 proxy activity of the TrickBot chain.


We continue closely monitoring for TrickBot activity and malware distributions.

Recommendations & Possible Mitigations

  • The immediate disconnect of the affected machine from the network when observed the fraud message as displayed

  • Full password reset from browsers for any internal and external assets

  • Logged-in session reset to prevent reuse of stolen cookies

Indicators of Compromise (IOCs): grabber.dll (MD5: 57103CAE44BA3FA21804EBC9BF702B1F) socksbot.dll (MD5: 382A62908E86BB1F333EC99B17A38930) TrickBot loader (MD5: 4BE2C925E06F6CABB3D3761B8D3A3D11)

Know Your Adversary & Disrupt Cybercrime Threats

 

© 2020 Advanced Intelligence, LLC.
New York City, NY. All rights reserved.

For media inquiries, please contact us at info@advintel.tech

Reach out and we will set up a platform demo right away
  • Белый LinkedIn Иконка
  • Белый Twitter Иконка