TrickBot Trojan switches to stealthy Ostap downloader

At least one of the three cyber attack groups operating the TrickBot modular banking Trojan has switched to a commodity JavaScript downloader to bypass security controls, according to researchers.

Analysis of a recent high-volume spam campaign delivering TrickBot by virtualisation-based security firm Bromium revealed use of the Ostap malware downloader dating back to 2016.

The campaign used a Microsoft Word 2007 macro-enabled document to deliver the downloader. The document typically contained a VBA (Visual Basic for Applications) macro and a Jscript. The emails and samples analysed were themed as purchase orders to target businesses.

Due to Ostap’s use in other malware campaigns, researchers said this suggested it was a commodity downloader widely available to multiple threat actors, including TrickBot’s operators.

However, the use of Ostap marks a departure from previous TrickBot campaigns that used obfuscated command shell and PowerShell commands that were triggered by VBA AutoOpen macros to download payloads.

While the use of JavaScript-based downloaders is not new, the Ostap downloader is notable for its size, virtual machine detection and anti-analysis measures, according to Alex Holland, malware analyst at Bromium.

“The Ostap samples analysed generated incomplete traces in two different public sandboxes and neither downloaded their respective TrickBot payloads. Moreover, a sample that was uploaded to VirusTotal had a low detection rate of 11% when it was first uploaded, suggesting that Ostap is effective at evading most antivirus engines,” he wrote in a blog post.

Downloaders are simple functions designed to retrieve and run secondary payloads from one or more remote servers, and are rarely more than several hundred lines of code, even when obfuscated. But Bromium’s analysis revealed that the latest Ostap downloader counters this trend, containing more than 34,000 lines of obfuscated code.

Historical TrickBot campaigns suggest that their operators seem to prefer code obfuscation that is lengthier than most other e-crime actors to bypass detection, said Holland.

“We regularly see malicious actors change their tooling to increase the chances of a successful intrusion”

Ostap also includes a variety of measures designed to prevent analysis and examination. When the TrickBot delivery document opens, Ostap copies file names to the user’s default Word template. However, analysis shows that the rest of the macro runs only if the document is closed, which is an anti-sandbox measure to prevent behavioural analysis. The downloader also includes a fake Windows Script Host runtime error to discourage manual examination.

Bromium was able to identify this campaign because it sits at the bottom of the security stack, isolating threats that bypass other security tools in hardware-enforced containers. This means that if a user clicks on something malicious, the threat is fully contained.

This approach generates real-time threat intelligence that can be shared across the security stack, helping to harden the entire defensive infrastructure and ensure organisations stay one step ahead.

Commenting on TrickBot’s operators switching to Ostap, Holland said: “We regularly see malicious actors change their tooling to increase the chances of a successful intrusion, particularly the downloaders used to initially compromise systems.

“Ostap’s aggressive anti-analysis features and low detection rate compared to downloaders that use other interpreted scripting languages make it an attractive choice for malware operators seeking a downloader.”