TrickBot – Banking trojan back in action

According to recent reports, many have been hit from trickBot Trojan around the globe in last week. Be-aware before it reaches to you.

TrickBot was delivered by via fake Efax messages as malspam and by abusing pastebin. Over a night it has reached to out the people across the globe, causing serious confrontational and financial damages.

What is TrickBot ?

  • Trojan.TrickBot is Malwarebytes’ detection name for a banking trojan targeting Windows machines.
  • Trickbot attacks are designed to access online accounts, including bank accounts, with the goal of obtaining Personally Identifiable Information (PII) which can be used to facilitate identity fraud.
  • It steals sensitive information, including banking login details and memorable information, by manipulating web-browsing sessions.
  • Gathers detailed information about infected devices and networks.
  • It steals saved online account passwords, cookies and web history
  • Steal login credentials for infected devices
  • Connect infected devices to malicious, criminally controlled, networks over the Internet leading to CnC activites.
  • Download further malicious files such as Remote Access Tools, VNC clients, or ransomware.

Step by Step Trickbot action mechanism

1. Fake Efax email – Malicious doc delivered via an email

In this section we will see how the Trickbot targeted user using email.

Email with malicious doc file
Email body content
Malicious Doc File

Analysis of the above maldoc: Fake efax word document – 713-288-4192.doc

Virustotal:https://www.virustotal.com/#/file/093d7065b58d12653ecd49a9c96dfa7a24b9c5224592f83ef4fa150efccc7a0b/details

Sandbox Analysis : https://www.hybrid-analysis.com/sample/093d7065b58d12653ecd49a9c96dfa7a24b9c5224592f83ef4fa150efccc7a0b?environmentId=120

2. Once Doc is opened, it uses pastebin to download malicious XML script on the system

In this section, we will see how this doc downloads the XML script and what happens from there onward.

Sample Script information can be seen here: https://pastebin.com/KpfXBEep

Snapshots of downloaded XML file: nQ4YJ47K.xml Script was highly encoded and obfuscated.

Encoded and obfuscated script

Analysis of the downloaded xml file:

**Note that, never depend on virustotal completely, as initially when this activity occurred, virustotal scanned this file clean, not a single hit from any vendor was there.**

Sandbox Analysis of actual XML file: Hybrid Analysis – Downloaded XML file, click here.

https://www.virustotal.com/#/file/c6e92ce99784d6053ffae7325a2ea410b01846e4de9ddb69dfb8b6146cab1388/detection

As initially xml script was detected clean, I went ahead using Oletools as they are fast and quick in giving estimate results for any malicious files.

olevba –reveal –decode nQ4yJ47k
olevba –reveal –deobf –decode nQ4yJ47k

3. This XML file drops the trickbot executable on the device

Above xml file has one Trojan Javascript (AQ3Yw_yn.JS) injected in it, which drops the Trickbot executable file Gtag Ser0319us.

Analysis of the Trickbot executable: https://www.virustotal.com/#/file/473f6c4cd27ceee5cd39333167623d17bb35be016fac87fcf2a6d369159e9690/detection

4. TrickBot Stealing Data

Once TrickBot executable is downloaded and executed, It starts stealing the information from the infected system, which can be observed as the part of Command and control activity, post infection traffic and Indication of compromise.

IP reputation the CnC server Cowboy IP: https://www.virustotal.com/#/ip-address/103.119.144.250

It starts with stealing credentials, usernames and password saved in browser.

Stealing System and its network information

5. done with stealing information It proceeds making Get requests for more malicious stuff.

Further Malicious HTTP requests.

Analysis of the above get request:

table.png: https://www.virustotal.com/gui/url/7dc6e9828a4f99f08288d0a2db3cbe80185230bd184b54456ecfc0d7b8ae701b/detection
radiance.png: https://www.virustotal.com/#/url/1a5b70da0841d51f0068f9819dbb1d974fa5d85837c91179e2549e4257ad0c20/detection
worming.png: https://www.virustotal.com/#/url/0c01aaf659a39c098058c27790d63a74f2b31c1a0dfd446133e8f0b940b477dc/detection

Malicious IPs and Connections observed : IOCs

IPs:
104[dot]20[dot]209[dot]21
179[dot]189[dot]241[dot]254
176[dot]58[dot]123[dot]25
185[dot]255[dot]79[dot]7
37[dot]44[dot]215[dot]137
103[dot]119[dot]144[dot]250
213[dot]183[dot]63[dot]75

HTTP Connections
hxxp:/ /pastebin[dot]com/raw/nQ4yJ47k
hxxps:/ /ident[dot]me/
hxxp:/ /103[dot]119[dot]144[dot]250:8082/ser0319us/USER-PC[dot]**************************/81/
hxxp:/ /103[dot]119[dot]144[dot]250:8082/ser0319us/USER-PC[dot]**************************/83/
hxxp:/ /213[dot]183[dot]63[dot]75/radiance[dot]png
hxxp:/ /213[dot]183[dot]63[dot]75/table[dot]png

Solution

References:

Please tell us your reviews on this, Stay tuned for more cyber stuff !!

1 thought on “TrickBot – Banking trojan back in action”

  1. Pingback: "MegaCortex" Ransomware in action -A MayDay gift no-one wanted | Security@Speaks

Leave a Comment

Your e-mail address will not be published. Required fields are marked *