NTT Security is closely following the evolution of the banking malware TrickBot which has been involved in multiple major incidents such as deployments of the now infamous ransomware Ryuk crippling global organizations and large cities.

In this blog post, we will first provide a description on the commonly observed way of distributing TrickBot and then go into detail on targeted activity where the Powershell backdoor PowerBrace was deployed through an active infection. The use of PowerBrace is noteworthy as there are only a few samples available in public and it has been attributed to other major threat actors, indicating previously unknown collaborations.

The research in this blog post is based on detected customer incidents through managed security services, incident response engagements and TrickBot infrastructure-mapping using the NTT Tier 1 internet backbone infrastructure. We have previously written about our research here.

Distribution method

NTT Security observes that the threat actor behind TrickBot mainly uses two distribution methods to deliver the malware. The first one is traditional email campaigns where the threat actor is behind the distribution themselves. From the victim’s view, it has the following workflow:

  1. User receives email with malicious attachment, for example a Word document with macro code
  2. Attachment is opened and macro code is executed. The macro code downloads TrickBot from an external server
  3. The TrickBot sample is executed and the client is infected

The other increasingly popular way is to collaborate with external successful malware distributors such as the group behind Emotet. Emotet is a malware which is most commonly spread through email campaigns. Once a successful infection has taken place, it has been observed that additional malware, such as TrickBot, are fetched and installed.

PowerBrace backdoor deployment

During May 2019, NTT Security’s Security Operation Center (SOC) observed the TrickBot threat actor deploying the Powershell backdoor PowerBrace towards a small subset of victims. We assess that the victims were manually singled out by the TrickBot actor due to their high profile/high impact.

The workflow for manually singled out victims is outlined below:

The PowerShell command used to deploy PowerBrace was as follows:

As can be seen, the backdoor is downloaded from hxxp://util98[.]com/navleft.gif and have the C2 server provided as argument pp with domain qqcore[.]co and port 443.

The backdoor communicates over SSL and additionally all its traffic is bytewise XOR encoded.

Each time the backdoor is run, a 15-character long session key is generated and sent to the C2 server.

The session key is required each time the C2 server communicates with the client, otherwise, the commands will be ignored.

The backdoor supports multiple commands – a list of them below:

There are also a few features which are not implemented:

To analyze the behavior of an active install, NTT Security created a basic server which mimics the C2 server behavior. 

The initial client check-in looks like:

Example of invoking the cmd directory listing command:

The backdoor will delete itself at execution indicating it to be deployed only when needed and not to be used as a persistence mechanism:

Our working theory is that PowerBrace is used as a tool during intrusions in order to quickly perform tasks such as file transfers, command execution, additional payload deployments etc.

At the end of the blog post, an Indicators of Compromise (IOC) section is provided with a yara rule for the backdoor included.

Context before attribution 

The attribution puzzle of PowerBrace largely revolves around the TrickBot actor, TA505 group and Lazarus group. For readers not acquainted to these threat actors, we will provide an introduction to both TA505 and Lazarus.

TA505 is a financially motivated actor known to perform a large span of activities such as being the creators of multiple ransomware families, most famously Locky. It is also the creator of the banking malware Dridex. Additionally, it makes use of email campaigns and is known to, among other threats, distribute TrickBot.

Lazarus, also known as Hidden Cobra and Guardians of Peace is a threat actor connected to the North Korean government. It is known for multiple high-profile activities, such as being the creator of WannaCry and the Sony breach. It is also financially motivated with targets such as cryptocurrency exchanges and banks.

Attribution

With the above introduction about the groups completed, we will go into the details of how the PowerBrace backdoor come into the picture with TA505 and Lazarus.

BAE Systems attributed the creation of PowerBrace to the Lazarus group during the Kaspersky Security Analyst Summit 2019.

Additionally, Norfolkinfosec found OSINT IOCs indicating an overlap of tools used between TA505 and Lazarus where PowerBrace was part of the toolset.

The observations of Norfolkinfosec summarized:

The Vietnamese CERT published a report on an APT attack towards financial organizations where a PowerBrace sample is listed as an IOC. Among the listed IOCs are also a hash for a file named HSMBalance.exe which is attributed to Lazarus group.

In the same report, there are IOCs overlapping with activity by the financially motivated group named TA505 reported in a blog post from Threat Intelligence Center at 360.

This highlights a possible collaboration between Lazarus and TA505.

BAE systems has commented on the possibility of a collaboration in connection to an article in Wired about attacks on ATM networks. The article has the following quote highlighted it:

This connection does not seem to have a very high certainty as the speaker of the related SAS2019 talk commented on a Twitter post:

The interesting point to make here is that TrickBot has dropped PowerBrace, a backdoor which seems to be created either by Lazarus or TA505 group.

Does this indicate that the TrickBot group is collaborating with Lazarus? Or does the TrickBot group collaborate with TA505 which in turn collaborates with Lazarus? Can it be the case that the author of PowerBrace actually is TA505 and not Lazarus?

The uncertainties are many in how these groups relate to each other. We can however say with:

  • High confidence – that PowerBrace has been deployed through TrickBot infections
  • Medium confidence – that the TrickBot group has a collaboration with an external criminal financial actor during targeted attacks.

Summary

The TrickBot group has created a resilient malware infrastructure which poses a serious threat to companies and their users. NTT Security helps its customers detect, prevent and remediate TrickBot and PowerBrace infections via its threat detection services delivered from multiple 24/7 SOCs around the world. 


Acknowledgement

The NTT Security team would like to extend a thank you to Saher Naumaan and team for sharing context information during the creation of this blog post, and to Norfolkinfosec for analyzing and correlating OSINT information.

IOCs

Hashes: 29f1322ce49386c7cc916e0e63d706cbcaa0132ea56c55ec57c0c14c3dac8993 (navleft.gif)

Domains: hxxp://util98[.]com/navleft.gif qqcore[.]co

IPs: 107.173.204.54:80 (util98[.]com) 66.11.124.195:443 (qqcore[.]co)

Yara rule: https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/blog/powerbrace-ntt-yara.pdf