Inside a TrickBot Cobalt Strike Attack Server

Research by Joshua Platt and Jason Reaves

Executive Summary

  • Trickbot operators utilized PowerTrick and Cobalt Strike to deploy their Anchor backdoor and RYUK ransomware
  • We review the Cobalt Strike portion of the server and how the actors were leveraging it against multiple targets.


TrickBot is the successor of Dyre which at first was primarily focused on banking fraud, even reusing the same web-injection systems utilized by Dyre. TrickBot has since shifted focus to enterprise environments over the years. Incorporating everything from network profiling, mass data collection and lateral traversal exploits. This focus shift is prevalent in their tertiary deliveries that target enterprise environments. Much like a company whose target will shift depending on what generates the best revenue.

This report aims to expand upon SentinelLabs earlier reports involving TrickBot:

Previously, in our PowerTrick reporting, we mentioned an IOC ‘wizardmagik[.]best’ (95.179.214[.]127). Typically, the domains are monitored for some time via VirusTotal in an effort to further any understanding of the IOC in question. The effort paid off as surprisingly some old attack data from the server containing roughly three sessions (10/7/2019-10/9/2019) appeared recently. While the log data is only for 3 sessions, data such as this can prove to be invaluable for defenders through showcasing actions on objectives and attack TTPs from real life scenarios.

Attack Server

The server is clearly utilized for further profiling the networks and systems. The actor leverages a myriad of open source scripts and tools to gather information and pivot to other systems from existing TrickBot infections.

This specific server comes into play in the post-Initial Access phase, which is handled by TrickBot. TrickBot modules collect large amounts of data on the infected systems and attempt to pivot to the domain controller. At this point, actors will jump in and begin the process of mapping out the network and determining what the next course of action will be. Or in other words, they initiate the valuation phase.

Anatomy of an Attack

In the later part of 2019, TrickBot conducted campaigns using the CloudApp folder. We can correlate timestamps from the Cobalt Strike logs to campaign data when TrickBot utilized the folder name[5].

LS command issued to beacon
Image1: LS command issued to beacon

The actor initially makes a note of this infection:

Operator adds note
Image2: Operator adds note

Once the actors decide to take a look at the infection using Cobalt Strike, they issue a task to run the Cobalt Strike-ToolKits DACheck script, impersonate SYSTEM and run Mimikatz.

Initial tasks executed after check in
Image3: Initial tasks executed after check in

Next, they begin looking for live hosts and port scanning for particular open ports.

Port Scan task initiated
Image4: Port Scan task initiated

They also check the members of the Domain Admin group:

Domain admin checked
Image5: Domain admin checked

And dump the hashes:

hashdump issued
Image6: hashdump issued

The actors load in PowerView.ps1 PowerShell script from PowerSploit and begin leveraging the PowerShell script to find where else they can pivot to.

PowerShell leveraged for enumeration
Image7: PowerShell leveraged for enumeration

During this time, other machines in the same domain are pivoted to.

Interactive Logon
Image8: Interactive Logon

Each machine gets profiled out.

Machine directory listing
Image9: Machine directory listing

Eventually leading to Ryuk ransomware:

Ryuk upload and detonate
Image10: Ryuk upload and detonate
Ryuk detonated via PsExec
Image11: Ryuk detonated via PsExec

Going by the timestamps, we can guess the time period of 2 weeks for dwell time from TrickBot -> Pivot and Profile -> Ryuk.

Tools Leveraged




Cobalt Strike directory zip: