Trillium Exploit Kit Update Offers ‘Security Tips’

June 2, 2016

McAfee Labs has previously blogged about the Trillium Exploit Kit Version 3.0, which is commonly used to create and distribute malware. Last week, Version 4.0 appeared on several underground forums.

We have analyzed the new version of the tool and it contains new functionality. These include:

  • PDF downloader
  • Password generator
  • Security tips

PDF downloader

od_2305_004

The user has several options when creating a PDF downloader, though all of these options create very similar PDF files.

od_2305_005

Upon opening the file with our FileInsight tool, we can clearly see the PDF using the OpenAction function to invoke PowerShell, which will download and execute a file.

Password generator

A strange addition to the toolkit is a password-generating component.

od_2305_006

This will create a randomly generated string to be used as a password for any account. Users can save this password on their machines. Upon clicking the button, a text file is created that contains a clear-text unencrypted copy of the password.

od_2305_007

od_2305_008

This is not very secure.

Security tips

The oddest addition to Trillium is the inclusion of several security tips to help users avoid malware infections. We find this ironic because the purpose of the software is to breach the security of user environments.

There are various tips on antiphishing, downloading, uninstalling vulnerable software, and password use.

od_2305_015

In use

We have seen this toolkit used in the wild to target a bank in the Asia-Pacific region. This email contains a malicious PowerPoint file.

od_2305_009

The attachment is a .PPSX file, a PowerPoint Show file starts the app in slideshow mode. This trick has been used many times to mask what is happening in the background.

The .PPSX file contains an embedded VBS.Downloader Trojan created using the Trillium 4.0 toolkit. A feature in PowerPoint can execute embedded OLE objects; the attacker has taken advantage of this by creating a custom action to execute the embedded VBS.Downloader when the PowerPoint slide is opened. (Click here for more information on the custom animation feature.)

Customer animation feature used to execute the embedded VBS file.

 

od_2305_011

VBS.Downloader Trojan created by Trillium 4.0.

The VBS file downloads a password-stealing Trojan that targets the following software:

  • FireFox
  • ThunderBird
  • SeaMonkey
  • Opera
  • Outlook
  • Pidgin

The password stealer has keylogging functionality and will create a log file in the %APPDATA%LOGS folder in the format DD-MM-YYYY. The malware encrypts these log files with XOR 0x9D and then adds 0x24. In order to decrypt these, we need to reverse this algorithm. So we sub 0x24 and then XOR this with 0x9D.

od_2305_020

Encrypted log file.

 

od_2305_019

Decrypted log file.

The malware attempts to contact the following servers:

  • adzone.duia.eu
  • adzone.ddns.net
  • adzone.zzzz.io

Intel Security has the following signatures for the Trillium malware:

  • W97M/Downloader.bdu
  • Trojan-FISA
  • Downloader-FBEF

We recommend that our customers read this post on best practices. The advice should help mitigate some of the infections seen by malware created by this toolkit.

The post Trillium Exploit Kit Update Offers ‘Security Tips’ appeared first on McAfee.