PowerTrick Backdoor

First observed in late 2019, PowerTrick is a PowerShell-based backdoor believed to have been created by the group operating TrickBot for use against high-value targets.

Threat ID:: CC-3337
Category:: Backdoor
Threat Severity:: Medium
Threat Vector:
Published:: 16 January 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First observed in late 2019, PowerTrick is a PowerShell-based backdoor believed to have been created by the group operating TrickBot for use against high-value targets.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

PowerTrick is delivered after a system has been compromised, either by TrickBot itself or by a preliminary loader in a similar manner to the PowerShell Empire post-exploitation toolkit. An initial small staging module is first installed, which then attempts to collect system information and send it to a command and control (C2) server. If this information matches the group's target requirements, an instruction will be sent to the stager to download the primary PowerTrick module.

Once installed, PowerTrick will collect detailed information on both the system and users, before sending it to a separate C2 server. It will then attempt to install a number of other payloads including the TrickBot Anchor DNS tool and the more_eggs Java backdoor.

For further information:

TrickBot "PowerTrick": Mock Panel for Enhanced Detection & Mitigation white paper (SentinelOne, 2020)

Remediation steps

Type	Step
	To prevent and detect an infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect an infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Indicators of compromise

Main indicators

IP Addresses

172.82.152[.]15
192.99.38[.]41
193.42.110[.]176
5.9.161[.]246

URLs

drive.staticcontent[.]kz
kostunivo[.]com
magichere[.]icu
magikorigin[.]me
northtracing[.]net
traveldials[.]com
web000aaa[.]info
wizardmagik[.]best

SHA256 File Hashes

254e7a333ecee6d486b4f8892fe292fb7ba1471fe500651c1ba3e7ff5c9e03c8
dcf714bfc35071af9fa04c4329c94e385472388f9715f2da7496b415f1a5aa03

Last edited: 29 June 2021 12:00 pm