A new module for the TrickBot trojan has been discovered that targets the Active Directory database stored on compromised Windows domain controllers.
TrickBot is typically download and installed on a computer through other malware. This most common malware that installs TrickBot is Emotet, which is distributed through spam with malicious Word document attachments.
Once TrickBot is installed, it will harvest various information from a compromised computer and will then attempt to spread laterally throughout a network to gather more data.
As part of the malware's continued evolution, a new TrickBot module called 'ADll' was discovered by security researcher Sandor Nemes that executes a variety of Windows commands that allows the trojan to steal a Windows Active Directory database.
Dumping the Active Directory
Before we get to how TrickBot steals an Active Directory database to harvest login credentials, we first need to give a bit of background about a special file called ntds.dit.
When a server is promoted as a domain controller, the Active Directory database will be created and saved to the default C:\Windows\NTDS folder on the DC.
Inside this folder is a file called ntds.dit, which is a database that contains all Active Directory services information such as users, passwords, groups, computers, etc.
As this information is sensitive, Windows encrypts the data using a BootKey stored in the System hive of the Registry. As the ntds.dit is always opened by the domain controller, it also not possible to access it normally using standard file operations.
To be able to work with the ntds.dit database while it is open, Windows domain controllers have a tool called ntdsutil that allows administrators to perform database maintenance.
Using ntdsutil, administrators can perform the "ifm" (Install from Media) command to create a dump of the Active Directory. This command is meant to be used to create installation media that can quickly set up new Domain controllers without having to wait for the Active Directory to replicate.
If TrickBot is able to gain administrative access to a domain controller, it will abuse this command to create a copy of the domain's Active Directory database and steal it.
TrickBot steals the Active Directory
TrickBot's new ADll module takes advantage of the "Install from Media" command to dump the Active Directory database and various Registry hives to the %Temp% folder. These files are then compressed and sent back to the attackers.
In a conversation with BleepingComputer, Nemes explained that the ADll module will generate an 8 character ID based on the TrickBot client ID.
The module will then use this ID as the filename argument for the following executed commands:
ntdsutil "ac in ntds" "ifm" "cr fu %TEMP%\[generated-id]0.dat" q q reg save HKLM\SAM %TEMP%\[generated-id]1.dat /y reg save HKLM\SECURITY %TEMP%\[generated-id]2.dat /y reg save HKLM\SYSTEM %TEMP%\[generated-id]3.dat /y
When executed, the commands will dump the Active Directory database as well as the SAM, Security, and SYSTEM hives.
When done, Nemes says the module will check if the files exist, compress them, and then exfiltrate the files back to the attacker's servers.
Now that the attackers have access to these files, they can decrypt the Active Directory database and dump the usernames, password hashes, computer names, groups, and other data.
This data can then be used to further spread laterally throughout the network and is especially helpful for the actors behind the Ryuk Ransomware, which is typically the final payload for TrickBot infections.
Illustrating how this data helps attackers
To illustrate how the TrickBot module works and what data it can gather using, BleepingComputer set up a small Windows domain.
Once set up, we execute the first command of "ntdsutil "ac in ntds" "ifm" "cr fu %TEMP%\H00i0Z000.dat" q q", which dumps the Active Directory database to the %TEMP%\H00i0Z000.dat folder.
Dumping the Active Directory database
We also executed the module's reg commands to save the SAM, Security, and SYSTEM hives to files.
reg save HKLM\SAM %TEMP%\H00i0Z001.dat /y reg save HKLM\SECURITY %TEMP%\H00i0Z002.dat /y reg save HKLM\SYSTEM %TEMP%\H00i0Z003.dat /y
When done, our %Temp% folder contained a folder containing the Active Directory database and three dat files that are the saved Registry hives.
Saved data in %Temp% folder
Inside the H00i0Z001.dat folder is the dumped ntds.dit database file.
The dumped Active Directory database
Using the DSInternals PowerShell modules we can easily extract the BootKey decryption key from the System hive using the "Get-Bootkey -SystemHivePath '.\H00i0Z003.dat'" command.
Extracting BootKey from SYSTEM hive
Finally, we execute the DSInternals command "Get-ADDBAccount -All -DBPath 'C:\Users\sanje\Desktop\NTDS\ntds.dit' -Bootkey [key]" to decrypt the database and view all of the accounts, including their NTML password hashes, as seen below.
Dumping user password hashes from the ntds.dit file
Attackers can then take these hashes and run them through cracking programs to determine the actual plain-text passwords for these users.
These account credentials can then be used by the attackers to compromise other devices on the network.
Active Directory exploitation is a serious subject and is important for domain administrators to become familiarized with it.
Head of SentinelLabs Vitali Kremez also has a very informative video on how Trickbot and Ryuk exploit Active Directory services for their benefit.