Discovery

Trik is an old bot which was first seen in 2011. Its modus operandi is to use instant messaging systems to propagate. Over the past years, this bot appears to go quiet. From January to May 2016, we have only identified 84 variants of Trik. However starting from June to July 25, we identified 1,447 variants of the sample.

We discovered an early version of this bot on Virustotal which was seen on February 15, 2016. The sample with sha256 cdb6f46a56d97a962278960f4a58bbcd2270f27635f7c638884968ae44205931 timestamp is February 11, 2016. The sample is also packed with the compressed data in its resource section.

We unpacked this file and identified the name and version of this bot based on the reference of its .pdb file.

  • C:\Users\x\Desktop\Home\Code\Trik v1.8\Release\Trik.pdb

Fast forward to July 2016, Trik uses a .NET packer/protector. Also the pdb file shows it is now in version 2.6. This  means that from 2011 until May 2016, we are only seeing version 1 updates of Trik but starting June, the actors are actively involved in the operations of Trik.

Aside from .NET protector, samples are now signed but from untrusted root CA.

second_version_vt

certificate_invalid

 

The following analysis will now focus on the recent sample with sha256, 0b6258dc856fb84d11d368d3c8a4d6b3a379297ab08efa89b3f1a6ea5f556558

 

 

Packer

Similar to the first version, this .NET packer’s compressed data is in its resource section. It also has a loader which first checks for some sandbox and virtualization software before loading the payload.

The loader will first decrypt its configuration file in its resource section. The configuration is an array that defines the execution flow of the malware including mutex names. Based on the configuration, it can also delete the property of the file being downloaded from the internet by deleting this the alternate data stream “{filename}:Zone.Identifier”. This will bypass dialog window from browsers implying the file was downloaded from the internet. This is an indication that the attackers using drive-by-download as a means to install this bot.

packer_decrypt_config

 

Armoring

This variant also detects the following softwares which are popular sandbox, and network analysis tools:

  • SandBoxie
  • Fiddler
  • Wireshark
  • WPE

packer_anti

 

The configuration also identifies the process where it will inject its code. It may choose from either the following processes:

  • vbc.exe
  • RegAsm.exe
  • AppLaunch.exee
  • svchost.exe
  • notepad.exe
  • self

In our sample, it injects on itself by launching a suspended process and writes into it.

RunPE_starting

 

The code injected is located in the resource section and encrypted. The decryption is a combination of rolling XOR with the keys also defined in the configuration.

 

decryption

 

Main Payload

The unpacked code is not in .NET assembly format but in C++. The version of this bot is identfied on its pdb reference which is v2.6.

  • C:\Users\s\Desktop\Home\Code\Trik v2.6\Release\Trik.pdb

 

Similar to earlier version, the unpacked code is straight-forward.

It will first employ its Anti analysis, Anti Sandbox and Anti Virtualization checks. If found, it will uninstall itself.

payload_anti

 

AntiVirtual

Anti_virtual

 

 

Blacklisted Processes

blacklisted_processes

 

Blacklisted DLL

blacklisted_DLL

 

 

Blacklisted Window Names

blacklisted_window_names

 

Blacklisted File Name

blacklisted_filename

 

Blacklisted File Path

blacklisted_file_path

Blacklisted User Names

blacklisted_usernames

 

“Tequilaboomboom” might be the preferred user name of the author used during development of the malware.

 

To check if it has already infected the system it looks for the mutex name  “t71. It also checks if it is running as:

  • %windir%\M-50504502689047502405034500693020490\winmgr.exe

 

If not, it will create a copy of itself in the same path above. It also adds itself in the Authorized Application list in the Firewall Policy settings. Creates Autostarts and disables the Windefender service.

 

It will create four threads which is the main payload routine.

 

Worm Routine on Removable and Network Drives

This is not a typical worming routine where it will drop a copy of itself into target folders or drives. Instead, it will drop a script that will download a copy or most likely an updated version of “Trik”. This method is another evasion technique employed by the malware. Even if the version of the malware is already detected, those infected drives with the components of the worm will have a chance to evade the detection.

 

Trik will first check if the download urls are accessible by iterating a list of urls and trying to download the “.exe” in the temp folder.. For the sample we checked, the following are the download URL.

 

  • http://124[.]158[.]10[.]82/t.exe
  • http://125[.]212[.]217[.]30/t.exe
  • http://220[.]181[.]87[.]80/t.exe
  • http://125[.]212[.]217[.]33/t.exe
  • http://210[.]211[.]116[.]246/t.exe
  • http://host5050[.]ru/t.exe
  • http://host5051[.]ru/t.exe
  • http://ouefuguefhuwuhs[.]ru/t.exe
  • http://uwgfusubwbusswf[.]ru/t.exe           

 

After successful verification, it proceeds on finding specific drives. It targets removable and remote drives except drive “a” or “b”.

 

Worm_routine

 

Depending on the type of drive, it will drop the following files:

 

  • Autorun.inf
  • DeviceManager.bat
  • Manager.bat (if target drive is network drive)
  • Manager.js (if target drive is removable)
  • .lnk (shortcut file to Manager.js or Manager.bat)

Autorun.inf will function as an autostart and simply opening the drive will execute the malware. It executes Manager.bat or Manajer.js which will then execute DeviceManager.bat. DeviceManager.bat will contain a powershell script that will download and execute a copy or an update of Trik as %temp%\winupd.exe. As an additional evasion technique, it adds random strings in between lines of the scripts. For example, contents of autorun.inf are as follows:

 

autorun_inf

 

Without the randomizer, the script will only contain the following:

 

autorun_inf_no_random

DeviceManager.bat executes a powershell script or launches bitsadmin.exe to download Trik. It contains the following: (We removed the random strings to show clearly how the script works)

 

device_manager

 

Worm Routine on Fixed Drives

Aside from worming on removable or network drives, it will also propagates a copy of itself into specific folders in fixed drives. It targets folders related to web root folders, ftp folders, or other sharing folders. It specifically looks for the following sub strings in the folder:

 

share_folder_sub_strings

If found, for every “.exe” file in that folder, it will replace it with a copy of itself. Likewise, for every “.zip” or “.rar” in that folder it will add a copy of itself as “README.txt.scr”.

worm_routine_2

 

Backdoor Routine

 

Trik is an IRC backdoor. The sample we analyzed connects to any of the following IRC servers all on port 5050:

 

  • 125.212.217.30
  • 220.181.87.80
  • 124.158.10.82
  • 125.212.217.33
  • 210.211.116.246
  • host5050.ru
  • host5051.ru
  • ouefuguefhuwuhs.ru
  • uwgfusubwbusswf.ru
  • oeuuguhwugfuuws.ru
  • efugusgdugugg.ru
  • wdoaefaeodegfe.ru
  • foeaufguehuaee.ru
  • efuegdugugg.ru
  • wdoargsiheffea.ru
  • fofhihihienfospf.ru
  • fgazeeufueea.ru
  • wgwuwgruwddhuw.ru

 

If one of the IRC servers is online, it will issue a NICK containing system info and USER command. The USER command contained fixed parameters which is always ‘x “” “x” :x’

The NICK message contains system information including windows version, keyboard layout info, and whether the user is admin or not.

NICK

If successful, it will now wait for specific commands. It specifically looks for strings “001”, “433”, and “332” in the message as a signal for command. Command 001 means it will ask the bot to join to a specific channel. Command 433 instructs the bot to send system information. Command 332 contains additional sub command. It can instruct the bot to:

 

  • Remove itself from the system
  • Send more system information
  • Download and execute files

 

It also seeks specific countries by getting the geolocation of the infected user through http://api.wipmania.com/. It will only download from specific list of countries hardcoded in its body. The list contains only countries from Americas and European countries.

 

Cyphort detects Trik as TROJAN.KIRTS.CY