However, as pointed out by the researchers, the data collected was not exfiltrated and so it remains unclear what the motives of the group exactly were. Trickbot’s execution (Image credit: The DFIR Report) As the tool enables remote access to the victim systems, this is used to run PowerShell commands to collect information about the victim computers such as their “anti-virus state”. The fake installer itself is also responsible for further dropping a file that helps run Cobalt Strike (CS) shellcode and therefore receives CS beacons. Having obtained sensitive credentials, WMIC was used to deploy a fake password manager application across multiple systems in the network, the researchers wrote in a blog post. Shortly after applying this registry modification, the LSASS process was dumped to disk using the Sysinternals tool ProcDump. This enforces credential information to be saved in clear text in memory. Within two minutes of the discovery activity, WDigest authentication was enabled (disabled by default in Windows 10) in the registry on the infected host. The threat actor then utilized built-in Windows utilities such as net.exe, ipconfig.exe, and nltest.exe for performing internal reconnaissance. The Trickbot payload injected itself into the system process wermgr.exe - the Windows process responsible for error reporting. Legitimate 1Password installer (right) – Fake 1Password installer (left) – Image credit: The DFIR ReportĪccording to the researchers at The DFIR Report who were the first ones to discover the attack, How it does so is initially through a password-protected archive file with a Microsoft Word or Excel file containing macros, which if enabled, results in the targeted device being compromised.įurthermore, the fake 1Password installer with the file name “Setup1.exe” is deployed which is used to launch Cobalt Strike helping the attackers collect information about multiple systems in the network. In the latest, it has been discovered that Trickbot deploys a mechanism to install a fake “ 1Password password manager” which in reality is designed to infect the victim’s computer and collect data. One such happens to be Trickbot which surfaced in 2016 and has evolved over the years from being just a banking trojan to a ransomware botnet adding different capabilities over time. We have covered various examples of malware in the recent past. The fake 1Password installer is used to launch Cobalt Strike allowing attackers to collect information about multiple systems in the network.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |