Trickbot Gets Trickier by Adding an Encryption Layer

2024 Cybersecurity Predictions


Figure 4: Dynamically resolving Windows API functions

In conclusion, sometimes changes, even minor ones such as this one, are enough to break a working automation process, and they require some time to investigate. That’s how the malware’s authors gain precious time to defraud unsuspecting victims before security vendors can denylist their servers.

As a reminder, Trickbot consistently uses email spam and phishing campaigns as its initial attack pattern, so it’s imperative that organizations train their users how to recognize potentially faked emails, and not to open suspicious file attachments or click on questionable embedded links. A web application firewall can also help your organization detect and mitigate banking trojans.

MD5: 06ac8be899d6deb26401417ce0d54389

Appendix

Python script to automate the decryption process:

import struct
def decrypt_first_stage(in_file, out_file):
      with open(in_file, 'rb') as f:
            encrypted_data = f.read()
      key = struct.unpack('<I', encrypted_data[:4])[0]
      size = struct.unpack('<I', encrypted_data[4:8])[0]
      res=""
      for i in range(8, size, 4):
            decrypted_bytes="".join(map("{:08x}".format, [struct.unpack('<I', encrypted_data[i:i+4])[0] ^ key]))
            res += "".join(reversed([decrypted_bytes[i:i+2] for i in range(0, len(decrypted_bytes), 2)]))
            key -= 1
      with open(out_file, 'w') as f:
            f.write("".join([chr(int(res[i:i+2], 16)) for i in range(0, len(res), 2)]))s



Source link
lol

Figure 4: Dynamically resolving Windows API functions In conclusion, sometimes changes, even minor ones such as this one, are enough to break a working automation process, and they require some time to investigate. That’s how the malware’s authors gain precious time to defraud unsuspecting victims before security vendors can denylist their servers. As a reminder,…

Leave a Reply

Your email address will not be published. Required fields are marked *