2017-08-12 - TRICKBOT ACTIVITY
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-08-12-Trickbot-infections-4-pcaps.zip 2.5 MB (2,512,416 bytes)
- 2017-08-12-Trickbot-malspam-tracker.csv.zip 1.1 kB (1,131 bytes)
- 2017-08-12-Trickbot-emails-and-malware.zip 1.8 MB (1,772,428 bytes)
NOTES:
- Trickbot is a banking Trojan that was first reported sometime in October 2016. It has been described as a successor to Dyreza or Dyre.
EMAILS
8 EXAMPLES FROM 2017-07-26 THROUGH 2017-08-11:
READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME
- 2017-07-26 17:22 UTC -- "HSBC" <noreply@hsbcdocs[.]co[.]uk> -- Account secure documents -- PaymentAdvice.doc
- 2017-08-01 19:08 UTC -- "Santander" <pleasedonotreply@santandersecuremessage[.]com> -- You have a new secure message waiting -- SecureMessage.doc
- 2017-08-02 17:39 UTC -- "HM Revenue & Customs" <donotreply@hmrccommunication[.]co[.]uk> -- You have a new secure communication -- SecureCommunication.doc
- 2017-08-03 17:07 UTC -- "Nationwide" <secured@nationwidesecure[.]co[.]uk> -- Nationwide Secure Email - Secured Message -- Secure.doc
- 2017-08-08 17:51 UTC -- "HM Revenue & Customs" <Gary.Brooks@hrmccommunication[.]co[.]uk> -- Company Excel Documents -- CompanyReport.xlsm
- 2017-08-09 10:31 UTC -- "New post Nat West Bank" <noreply@natwestdocuments6[.]ml> -- Nat West Bank -- West5476754-34.doc
- 2017-08-09 17:07 UTC -- "Lloyds Bank" <noreply@lloydsbacs[.]co[.]uk> -- Incoming BACs -- IncomingBACs.xlsm
- 2017-08-11 19:58 UTC -- "Natwest" <message@securenatwest[.]co[.]uk> -- Secure Message -- NATWESTSecureMessage.html
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Macros from Word or Excel retrieving a Trickbot binary.
Shown above: Certificate data typical for Trickbot post-infection traffic.
URLS GENERATED BY MACROS FROM THE ASSOCIATED WORD OR EXCEL DOCUMENTS TO RETRIEVE TRICKBOT:
- akustikingenieur[.]de - GET /templates/ewerserber.png
- carriereiserphotography[.]com - GET /logo.png
- carriereiter[.]com - GET /html/logo.png
- casajenty[.]com - GET /logo.png
- casasaotiago[.]com - GET /logo.png
- catterydelacanaille[.]be - GET /logo.png
- cbsiinc[.]com - GET /images/logo.png
- cbsswaarland[.]nl - GET /logo.png
- cbt-sex[.]com - GET /logo.png
- cfsannita[.]com - GET /Socionorari/ewerserber.png
- cwpiper[.]com - GET /logo.png
- hvsglobal[.]co[.]uk - GET /image/nologo.png [HTTPS]
- kartautoeskola[.]com - GET /test/images/logo.png [HTTPS]
- lexpertpret[.]com - GET /fr/nolog.png
- usdata.estoreseller[.]com - GET /images/logo.png
URL FROM HTML ATTACHMENT ON 2017-08-11 EMAIL TO RETRIEVE WORD DOCUMENT:
- natwestsecmsg[.]co[.]uk - GET /SecureMessage.doc [HTTPS]
TRICKBOT POST-INFECTION IP ADDRESSES AND PORTS:
- 23.95.9[.]152 port 443
- 46.160.165[.]31 port 443
- 67.211.208[.]42 port 443
- 72.211.215[.]68 port 449
- 91.247.37[.]112 port 443
- 104.160.176[.]241 port 443
- 185.40.20[.]42 port 447
- 185.82.218[.]118 port 443
- 185.144.156[.]176 port 443
- 186.103.161[.]204 port 443
- 188.165.62[.]62 port 443
- 191.7.30[.]30 port 443
- 193.70.125[.]188 port 443
- 210.16.102[.]142 port 447
- 210.16.102[.]167 port 443
MALWARE
Shown above: One of the malicious Word documents associated with this malspam.
SHA256 HASHES FOR THE MALSPAM ATTACHMENTS:
- 1d457069cb511af47a587287d59817148d404a2a7f39e1032d16094811f648e3 - CompanyReport.xlsm
- 75779e62f9790bd4c2ed449bd20be741f78811fb5ce848a2c5a516af17cdeccf - IncomingBACs.xlsm
- 9f6840709c15d7a2ed5c1d9502c23b122a639daa2c9cb6982a648b61b4789dca - NATWESTSecureMessage.html
- 51fc6482d1ab80010ebfe25d5b2a81c556235f4f541631589be49b3d9ac366af - PaymentAdvice.doc
- aa86a97ed059b08289199a9b9775040313b54b5ada19a501e5cf81553f7d0801 - Secure.doc
- 74f8f48afc7e761fa950e6656f178633f23dd02e207a7d20e0a873ca43778db8 - SecureCommunication.doc
- 08e3da6d2868bb292f81e3580b1686a34fc5c25051f2c9601671f35873688307 - SecureMessage-email-attachment.doc
- f77e4eebda4d50f76a4ad15f59f4f493928555e74fd680dd4a226121498c342d - SecureMessage-from-HTML-attachment.doc
- b9571aec8cc11b0596b02c6f76bc2802ed045be182e8748b904147534bef7e54 - West5476754-34.doc
SHA256 HASHES FOR THE TRICKBOT BINARIES I RECOVERED:
- 8ddad869f3b7bfa555890ee3cf503577e02c8599dd79b51dc458862f6f2843e7 - Trickbot binary from carriereiserphotography[.]com
- 2d40bc08e5b696b523b8ea9fe48cfd8294d279cf745b91a4b68dbed208facf1f - Trickbot binary from carriereiter[.]com
- 5da547e87d6ef12349fb4dbba9cf3146a358e284f72361dd07bbabfc95b0bac3 - Trickbot binary from usdata.estoreseller[.]com
Shown above: Artifacts from an infected Windows host.
IMAGES
Shown above: Screenshot from one of the emails (1 of 8).
Shown above: Screenshot from one of the emails (2 of 8).
Shown above: Screenshot from one of the emails (3 of 8).
Shown above: Screenshot from one of the emails (4 of 8).
Shown above: Screenshot from one of the emails (5 of 8).
Shown above: Screenshot from one of the emails (6 of 8).
Shown above: Screenshot from one of the emails (7 of 8).
Shown above: Screenshot from one of the emails (8 of 8).
Click here to return to the main page.