According to recent reports, many have been hit from trickBot Trojan around the globe in last week. Be-aware before it reaches to you.
TrickBot was delivered by via fake Efax messages as malspam and by abusing pastebin. Over a night it has reached to out the people across the globe, causing serious confrontational and financial damages.
What is TrickBot ?
- Trojan.TrickBot is Malwarebytes’ detection name for a banking trojan targeting Windows machines.
- Trickbot attacks are designed to access online accounts, including bank accounts, with the goal of obtaining Personally Identifiable Information (PII) which can be used to facilitate identity fraud.
- It steals sensitive information, including banking login details and memorable information, by manipulating web-browsing sessions.
- Gathers detailed information about infected devices and networks.
- It steals saved online account passwords, cookies and web history
- Steal login credentials for infected devices
- Connect infected devices to malicious, criminally controlled, networks over the Internet leading to CnC activites.
- Download further malicious files such as Remote Access Tools, VNC clients, or ransomware.
Step by Step Trickbot action mechanism
1. Fake Efax email – Malicious doc delivered via an email
In this section we will see how the Trickbot targeted user using email.
Analysis of the above maldoc: Fake efax word document – 713-288-4192.doc
2. Once Doc is opened, it uses pastebin to download malicious XML script on the system
In this section, we will see how this doc downloads the XML script and what happens from there onward.
Sample Script information can be seen here: https://pastebin.com/KpfXBEep
Snapshots of downloaded XML file: nQ4YJ47K.xml Script was highly encoded and obfuscated.
Analysis of the downloaded xml file:
**Note that, never depend on virustotal completely, as initially when this activity occurred, virustotal scanned this file clean, not a single hit from any vendor was there.**
Sandbox Analysis of actual XML file: Hybrid Analysis – Downloaded XML file, click here.
As initially xml script was detected clean, I went ahead using Oletools as they are fast and quick in giving estimate results for any malicious files.
3. This XML file drops the trickbot executable on the device
Analysis of the Trickbot executable: https://www.virustotal.com/#/file/473f6c4cd27ceee5cd39333167623d17bb35be016fac87fcf2a6d369159e9690/detection
4. TrickBot Stealing Data
Once TrickBot executable is downloaded and executed, It starts stealing the information from the infected system, which can be observed as the part of Command and control activity, post infection traffic and Indication of compromise.
IP reputation the CnC server Cowboy IP: https://www.virustotal.com/#/ip-address/184.108.40.206
It starts with stealing credentials, usernames and password saved in browser.
5. done with stealing information It proceeds making Get requests for more malicious stuff.
Analysis of the above get request:
Malicious IPs and Connections observed : IOCs
- Isolate the internal Host, stop it before it spread in your entire network.
- Re-image the host.
- For detailed solution please read our post: What Is Malware And Its Type And How To Identify And Remove It?
Please tell us your reviews on this, Stay tuned for more cyber stuff !!