Summary: The content discusses the malware Trammy.dll, which downloads and extracts files to establish persistence on infected systems while disguising its activities. It highlights the use of a password-protected ZIP archive and the CCProxy application to facilitate communication with a command and control (CnC) server.
Threat Actor: Trammy | Trammy
Victim: Various Windows Users | Windows Users
Key Point :
- Trammy.dll schedules a task to add C:ProgramData to Windows Defender’s exclusions and downloads a password-protected ZIP archive.
- Extracted files include CCProxy components, which are used to filter network traffic and disguise communication with the CnC server.
- The malware establishes persistence by registering services and creating a marker file to track execution.
- On reboot, the CCProxy service starts with custom configurations, enabling continued malicious activity.
Download, Decryption and Persistence
Next, Trammy.dll[F10] schedules a task that adds the folder C:ProgramData to Windows Defender’s exclusions.
The DLL contacts the open directory hxxps://fileondemandd(dot)site/[U2] (see figure 8) and downloads the ZIP archive filea.tat[F12].
The archive is password protected. The password is vsfdefender and has not been changed in a long time, e.g., the archives in the Checkpoint article from one year ago also use this password (samples are named BBTok by Checkpoint with filenames fe, fe2, and fe235). However, this password only succeeds for the files that are being used by the malware. Attempting to unpack the whole archive with this password results in ‘wrong password’ error messages. This could be intentional to thwart bruteforcing of the archive’s password.
We obtained seven files from the ZIP archive[F12]. Six of them (CCProxy.exe[F15], wke.dll[F16], Web.exe[F17], CCProxy.ini, AccInfo.ini and LeftTime.ini) belong to the CCProxy application developed by Youngzsoft Co., Ltd that can be used, for example, to filter and monitor network traffic. Trammy.dll[F10] extracts all of them to C:Program FilesSearchIndexer[P4] except for Web.exe[F17] which remains unused. CCProxy.exe[F15], masked as Searchlndexer.exe (with small “L” instead of large “i”), is the main application and registered as a local service which automatically starts on Windows boot. CCProxy.ini and AccInfo.ini configure CCProxy to accept HTTP connections from localhost on port 8118, which is used to disguise the communication with the CnC server[U3].
The wke.dll[F16] is superfluous because it is only required by the non-extracted Web.exe[F17]. The seventh file is named explorer.exe[F14] and was compiled with Embarcadero Delphi 11.0 Alexandria. Trammy.dll[F10] extracts it to the program data folder and registers it as a local service as well. In previous articles (link 1, link 2), the Delphi payload was BBTok.
After establishing persistence, Trammy.dll[F10] creates the empty file internal_drive_version2.3.4.txt[P2], which is used to determine if the code already ran. Then Trammy.dll[F10] displays the default Windows license expiration warning and reboots the system. On reboot, the CCProxy service starts with its custom configuration and the fake explorer.exe[F14] is called with a renamed filea.tat[F12] as argument. Figure 9 shows the overview for this part of the infection chain.
In our next article, we will describe how the Delphi payload[F14] communicates with the CNC server[U3] via CCProxy using the Realthinclient SDK.
Source: https://www.gdatasoftware.com/blog/2024/09/38039-bbtok-deobfuscating-net-loader