Demystifying Ostap, a new downloader for Trickbot trojan

• The downloader is delivered as a Microsoft Word 2007 macro-enabled (.DOCM) document.
• The emails are themed as purchase orders, suggesting that the campaigns are likely intended to target businesses rather than individuals.

In early August 2019, researchers noticed a high-volume of malicious spam campaigns delivering Trickbot. Almost all of these campaigns were found using Ostap, a commodity JavaScript downloader.

What’s the matter?

In the previous campaigns, Trickbot relied on downloaders that used obfuscated Command Shell and later PowerShell commands to download their payloads. These PowerShell commands were triggered by VBA AutoOpen macros.

However, in recent days, the malware authors have evolved their propagation methods and are now using a JavaScript downloader Ostap to deliver the trojan.

Who are the primary operators of Trickbot?

Trickbot is a modular trojan that is thought to be operated by at least three threat actors, tracked as TA505, Grim Spider and Wizard Spider.

How does Ostap spread?

Downloaders are a type of malware designed to retrieve and run payloads from one or more remote servers. Their simple function means that downloaders are rarely more than several hundred lines of code, even when obfuscated.

However, Ostap is one of the rare malware downloaders as it contains nearly 35,000 lines of obfuscated code, thus making it easier for cybercriminals to evade detection. The downloader is delivered as a Microsoft Word 2007 macro-enabled document (.DOCM) that contains two components of the downloader: a VBA macro and the JScript.

“The Ostap samples analyzed generated incomplete traces in two different public sandboxes and neither downloaded their respective TrickBot payloads. Moreover, a sample that was uploaded to VirusTotal had a low detection rate of 11% when it was first uploaded, suggesting that Ostap is effective at evading most antivirus engines,” said Bromium researchers in a blog post.

The emails are themed as purchase orders, suggesting that the campaigns are likely intended to target businesses rather than individuals.

What are the specialties of Ostap?

The interesting aspect of Ostap is that it includes anti-analysis measures. The JScript downloader includes a fake Windows Script Host runtime error that occurs shortly after the script starts running.

“Some samples of the downloader contain the characters **/ at the beginning on the JSE file. This is another anti-analysis measure that is used to trip up automated JavaScript analysis tools which may interpret the rest of the script as being part of a comment block, rather than executable code,” added the researchers.

Conclusion

Researchers note that Ostap’s aggressive anti-analysis features and low detection rate compared to other downloaders make it an attractive choice for malware operators.