Open in app

Sign in

Write

Sign in

TrueBot & Anti-Emulation Tricks

APOPHIS
7 min readMay 15, 2024

--

Understanding the Role of TrueBot in the Cyber Crime Ecosystem

In October 2022, Microsoft released a blog post shedding light on Raspberry Robin’s involvement in the contemporary cybercrime landscape. The report outlined several observations, including Raspberry Robin’s distribution of notorious malware families such as IcedID, Bumblebee, and TrueBot, alongside the previously identified FakeUpdates/SocGholish malware. At that time, TrueBot was not widely recognized or remembered, either due to its novelty or lack of attention.

Microsoft’s Findings :

According to Microsoft’s findings, Raspberry Robin, a key player in cybercrime activities, was implicated in the propagation of multiple malware strains. These included:

  • IcedID: A banking trojan known for stealing financial credentials.
  • Bumblebee: A sophisticated malware associated with various malicious activities, including data exfiltration and system exploitation.
  • TrueBot: A relatively obscure malware family at the time, its functionalities and impact were not extensively documented or understood.
  • FakeUpdates/SocGholish: A prevalent malware strain often used for delivering additional payloads or executing malicious activities on compromised systems.

The report underscored Raspberry Robin’s adaptability and versatility in distributing a wide range of malware, highlighting the evolving nature of cyber threats.

Cisco Talos’ Report :

In December 2022, Cisco Talos issued a blog post elaborating on the increased activity associated with TrueBot. They speculated a potential connection between TrueBot and the threat actor group TA505. Cisco Talos noted that TrueBot had been observed distributing Grace (also known as FlawedGrace and GraceWire) as a subsequent payload. Grace, exclusive tooling attributed to TA505, further solidified the potential association between TrueBot and this prominent threat actor group.

let’s start with true bot junk code :

The binary is padded with a significant amount of junk code that is not- relevant to its operation.

junk code

Getting the C2 :

we encountered three strings within the codebase that raised suspicion due to their obfuscated nature. Two of these strings appeared to be Base64 encoded and were passed as arguments to a function named c2_64_encoded

When decoding the Base64 strings with PowerShell we get the following results:

O_ia%0caoH%ac%9f%1f%cd%93

%05%19%298%5b%3d3%0f%b3%d9%0c

Now, we can that it is the RC4 decryption method

so I will use a combination method using Cyberchef to get the C2, having the RC4 key which is: “qaTuMuseBaMuQoNe”

we got the decrypted C2 >>> hhtps://essadonio.com/538332.php

Persistence

Before persisting itself, TrueBot creates a Mutex (OrionStartWorld#666) to check if another instance of itself is running, if so, it will terminate via ExitProcess(0).

C2 Communication

Then that gathers information from the system which will be sent to the C2. To get rid of the unwanted processes

GUID

Infinite Loop : The code starts with a while (1) loop, indicating an infinite- loop, which suggests the program continuously executes its instructions without termination until explicitly stopped.

File Operations:

  • The SHGetSpecialFolderPathA function is used to retrieve special folder paths.
  • It then constructs file paths with certain file extensions, like “*.JSONMSDN”.
  • The code searches for files matching these patterns using FindFirstFileA.
  • If a matching file is found, it attempts to read the file’s contents using CreateFileA and ReadFile

Memory Allocation: The code allocates memory dynamically using GlobalAlloc.

GUID Generation: If no matching files are found, it generates a GUID using CoCreateGuid. This GUID generation seems unusual in this context and may be used for identifying or tracking systems.

  1. Random String Generation:
  • After GUID generation, the code generates a random string of length 13.
  • It utilizes srand and rand functions for random number generation to fill an array (v13) with characters.

Anti debugging

TrueBot retrieves the filename of the module using GetModuleFileNameA.

It then checks if the filename contains the substrings “X64” or “x64” using StrStrA.

Conditional Execution:

  • If the filename contains “X64” or “x64”, it proceeds to:
  • Prepare process creation structures (StartupInfo and ProcessInformation).
  • Create a new process for “calc.exe” (Calculator application) using CreateProcessA.
  • Terminate the current process using ExitProcess.

If the filename does not contain “X64” or “x64”, it proceeds to:

  • Check if the file specified by pszSrch exists and if it's present in the current module's filename using sub_14099FAF0 and StrStrA.
  • If the file does not exist or is not found in the module’s filename, it displays an error message using MessageBoxA, simulating an Adobe Acrobat error message.

“There was an error opening this document. The file is damaged and could not be repaired.”, “Adobe Acrobat”

  • Additionally, if the file doesn’t exist, it calls sub_14099C410 (presumably another function) and exits the process.

after that truebot malware checks if certain processes related to antivirus software are running by calling the function sub_140001030 with specific process names (AVGUIX.EXE, AVGUI.EXE, AVASTUI.EXE, AVASTUIX.EXE). This suggests an attempt to identify and possibly interfere with antivirus processes.

Anti-Emulation

TrueBot malware uses multiple anti-emulation techniques to get if it’s running in a sandbox or Anti-Virus Env or not, it happens in truebot code :

1- Reading from a fake named pipe :

The wsprintfW function is used to format a string representing the named pipe's path. The format string is "\\\\.\\Pipe\\Scrooling%d"

CreateFileW is then called to create or open the named pipe specified by the constructed filename (FileName).

CallNamedPipeW is called to perform a synchronous transaction with the named pipe. This function initiates a call to a server application and waits for the server to process the transaction.

2- Trying to open a random invalid file:

The CreateFileW function is used to open a handle (hDevice) to a file or device specified by the path "\\\\..\\\\.filem.film.AVIVIV"

so, if the sandbox created and passed this file to the malware, the malware understands that it is running in an analysis environment

3- Calling EraseTape :

The code calls the EraseTape function, passing the hDevice handle along with parameters 1u and 1. This suggests an attempt to erase data from a tape device.

  • If the tape erasure operation is successful (EraseTape returns a non-zero value), the subsequent operations are executed

so, that if the code formed that: done, everything is ok, we have erased data from the tape device.

that means that it is a sandbox which tries to satisfy malware orders

C2_COMMAND

The C2 has the option of sending the following commands
LSEL: delete yourself and exit

EFE: download payload, decrypt with RC4 (hard coded key), and execute PE

S66: download, decrypt with RC4 (hard coded key), and inject shellcode into cmd.exe

Z66: download, decrypt with RC4 (hard coded key), and run shellcode

TFOUN: the array of commands

C2_config extractor

using the config of https://github.com/lazydaemon

YARA_rules

I have worked on many samples

22e3f4602a258e92a0b8deb5a2bd69c67f4ac3ca67362a745178848a9da7a3cc
0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3.bin
32ae88cddeeeec255d6d9c827f6bffc7a95e9ea7b83a84a79ff793735a4b4ed7.bin
47f962063b42de277cd8d22550ae47b1787a39aa6f537c5408a59b5b76ed0464.bin
594ade1fb42e93e64afc96f13824b3dbd942a2cdbc877a7006c248a38425bbc1.bin
36d89f0455c95f9b00a8cea843003d0b53c4e33431fe57b5e6ec14a6c2e00e99.bin
7c607eca4005ba6415e09135ef38033bb0b0e0ff3e46d60253fc420af7519347.bin
7c79ec3f5c1a280ffdf19d0000b4bfe458a3b9380c152c1e130a89de3fe04b63
80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9
97bae3587f1d2fd35f24eb214b9dd6eed95744bed62468d998c7ef55ff8726d4
97d0844ce9928e32b11706e06bf2c4426204d998cb39964dd3c3de6c5223fff0
a30e1f87b78d1cd529fbe2afdd679c8241d3baab175b2f083740263911a85304
b95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf
a67df0a8b32bdc5f9d224db118b3153f66518737e702314873b673c914b2bb5c
c0f8aeeb2d11c6e751ee87c40ee609aceb1c1036706a5af0d3d78738b6cc4125.bin
6b646641c823414c2ee30ae8b91be3421e4f13fa98e2d99272956e61eecfc5a1.bin
c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d.bin.sample
ed38c454575879c2546e5fccace0b16a701c403dfe3c3833730d23b32e41f2fe
ff8c8c8bfba5f2ba2f8003255949678df209dbff95e16f2f3c338cfa0fd1b885
JC_05c72e77d14cee079ac94706759dfe77c27fe51731a1eca22b03352190087e9e
4862618fcf15ba4ad15df35a8dcb0bdb79647b455fea6c6937c7d050815494b0.bin
717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb.bin
e0178ab0893a4f25c68ded11e74ad90403443e413413501d138e0b08a910471e.bin

You can find my YARA rules here :

Malware-analysis/YARA-rules/TrueBot at main · apophis133/Malware-analysis

here, I'm sharing my yara rules and my scripts to make it easier to hunt malwares - Malware-analysis/YARA-rules/TrueBot…

github.com

and the c2_config :

Malware-analysis/scripts/TrueBot_C2 at main · apophis133/Malware-analysis

here, I'm sharing my yara rules and my scripts to make it easier to hunt malwares - Malware-analysis/scripts/TrueBot_C2…

github.com

Truebot
Malware Analysis
Reverse Engineering
Malware
Yara

--

--

APOPHIS
APOPHIS

Written by APOPHIS

85 Followers
26 Following

Malware reseacher | https://github.com/apophis133

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams