2017-08-12 - MALSPAM CONTINUES TO PUSH TRICKBOT BANKING TROJAN

ASSOCIATED FILES:

• Zip archive of the pcaps:  2017-08-12-Trickbot-pcaps.zip   2.5 MB (2,511,906 bytes)
• Zip archive of the spreadsheet tracker:  2017-08-12-Trickbot-malspam-tracker.csv.zip   1.1 kB (1,131 bytes)
• Zip archive of the malware and artifacts:  2017-08-12-Trickbot-malspam-and-artifacts.zip   1.8 MB (1,770,188 bytes)

NOTES:

• Trickbot is a banking Trojan that was first reported sometime in October 2016.  It has been described as a successor to Dyreza or Dyre.
• Waves of malspam from the Necurs botnet have been pushing Trickbot, and we've seen reports as recently as mid-July 2017, like this example.
• But there hasn't been much publicly posted in the last week or so, even though I've seen a good deal about Trickbot reported by My Online Security recently.
• @dvk01uk from My Online Security provided me some examples of these emails, and I've sanitized 8 of them for this blog post.
• Trickbot is, indeed, an on-going concern.

ASSOCIATED BLOG POSTS:

• 2017-07-04 - Malware lab of S2 Group - Evolution of Trickbot, report 06/2017
• 2017-08-01 - MalwareBytes blog - TrickBot comes with new tricks – attacking Outlook and browsing data

• 2017-07-26 - My Online Security - Spoofed HSBC Account secure documents malspam delivers trickbot
• 2017-08-01 - My Online Security - Spoofed Santander You have a new secure message waiting malspam delivers Trickbot banking trojan
• 2017-08-02 - My Online Security - Another spoofed HMRC You have a new secure communication malspam delivers Trickbot banking trojan
• 2017-08-03 - My Online Security - Spoofed Nationwide Secure Email – Secured Message malspam delivers Trickbot banking Trojan
• 2017-08-08 - My Online Security - Another Spoofed HMRC Company Excel Documents delivers trickbot
• 2017-08-09 - My Online Security - Spoofed Nat West Bank financial activity statement malspam delivers trickbot
• 2017-08-09 - My Online Security - Yet another Spoofed Lloyds Bank Incoming BACs malspam delivers trickbot
• 2017-08-10 - My Online Security - Spoofed Danske Bank Secure Message malspam delivers trickbot
• 2017-08-11 - My Online Security - Spoofed Natwest Secure Message delivers trickbot

 

EMAILS

8 EXAMPLES FROM 2017-07-26 THROUGH 2017-08-11:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME

• 2017-07-26 17:22 UTC -- "HSBC" <noreply@hsbcdocs.co.uk> -- Account secure documents -- PaymentAdvice.doc
• 2017-08-01 19:08 UTC -- "Santander" <pleasedonotreply@santandersecuremessage.com> -- You have a new secure message waiting -- SecureMessage.doc
• 2017-08-02 17:39 UTC -- "HM Revenue & Customs" <donotreply@hmrccommunication.co.uk> -- You have a new secure communication -- SecureCommunication.doc
• 2017-08-03 17:07 UTC -- "Nationwide" <secured@nationwidesecure.co.uk> -- Nationwide Secure Email - Secured Message -- Secure.doc
• 2017-08-08 17:51 UTC -- "HM Revenue & Customs" <Gary.Brooks@hrmccommunication.co.uk> -- Company Excel Documents -- CompanyReport.xlsm
• 2017-08-09 10:31 UTC -- "New post Nat West Bank" <noreply@natwestdocuments6.ml> -- Nat West Bank -- West5476754-34.doc
• 2017-08-09 17:07 UTC -- "Lloyds Bank" <noreply@lloydsbacs.co.uk> -- Incoming BACs -- IncomingBACs.xlsm
• 2017-08-11 19:58 UTC -- "Natwest" <message@securenatwest.co.uk> -- Secure Message -- NATWESTSecureMessage.html

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Macros from Word or Excel retrieving a Trickbot binary.

 

Shown above:  Certificate data typical for Trickbot post-infection traffic.

 

URLS GENERATED BY MACROS FROM THE ASSOCIATED WORD OR EXCEL DOCUMENTS TO RETRIEVE TRICKBOT:

• akustikingenieur.de - GET /templates/ewerserber.png
• carriereiserphotography.com - GET /logo.png
• carriereiter.com - GET /html/logo.png
• casajenty.com - GET /logo.png
• casasaotiago.com - GET /logo.png
• catterydelacanaille.be - GET /logo.png
• cbsiinc.com - GET /images/logo.png
• cbsswaarland.nl - GET /logo.png
• cbt-sex.com - GET /logo.png
• cfsannita.com - GET /Socionorari/ewerserber.png
• cwpiper.com - GET /logo.png
• hvsglobal.co.uk - GET /image/nologo.png   [HTTPS]
• kartautoeskola.com - GET /test/images/logo.png   [HTTPS]
• lexpertpret.com - GET /fr/nolog.png
• usdata.estoreseller.com - GET /images/logo.png

 

URL FROM HTML ATTACHMENT ON 2017-08-11 EMAIL TO RETRIEVE WORD DOCUMENT:

• natwestsecmsg.co.uk - GET /SecureMessage.doc   [HTTPS]

 

TRICKBOT POST-INFECTION IP ADDRESSES AND PORTS:

• 23.95.9.152 port 443
• 46.160.165.31 port 443
• 67.211.208.42 port 443
• 72.211.215.68 port 449
• 91.247.37.112 port 443
• 104.160.176.241 port 443
• 185.40.20.42 port 447
• 185.82.218.118 port 443
• 185.144.156.176 port 443
• 186.103.161.204 port 443
• 188.165.62.62 port 443
• 191.7.30.30 port 443
• 193.70.125.188 port 443
• 210.16.102.142 port 447
• 210.16.102.167 port 443

 

MALWARE

Shown above:  One of the malicious Word documents associated with this malspam.

 

SHA256 HASHES FOR THE MALSPAM ATTACHMENTS:

• 1d457069cb511af47a587287d59817148d404a2a7f39e1032d16094811f648e3 - CompanyReport.xlsm
• 75779e62f9790bd4c2ed449bd20be741f78811fb5ce848a2c5a516af17cdeccf - IncomingBACs.xlsm
• 9f6840709c15d7a2ed5c1d9502c23b122a639daa2c9cb6982a648b61b4789dca - NATWESTSecureMessage.html
• 51fc6482d1ab80010ebfe25d5b2a81c556235f4f541631589be49b3d9ac366af - PaymentAdvice.doc
• aa86a97ed059b08289199a9b9775040313b54b5ada19a501e5cf81553f7d0801 - Secure.doc
• 74f8f48afc7e761fa950e6656f178633f23dd02e207a7d20e0a873ca43778db8 - SecureCommunication.doc
• 08e3da6d2868bb292f81e3580b1686a34fc5c25051f2c9601671f35873688307 - SecureMessage-email-attachment.doc
• f77e4eebda4d50f76a4ad15f59f4f493928555e74fd680dd4a226121498c342d - SecureMessage-from-HTML-attachment.doc
• b9571aec8cc11b0596b02c6f76bc2802ed045be182e8748b904147534bef7e54 - West5476754-34.doc

 

SHA256 HASHES FOR THE TRICKBOT BINARIES I RECOVERED:

• 8ddad869f3b7bfa555890ee3cf503577e02c8599dd79b51dc458862f6f2843e7 - Trickbot binary from carriereiserphotography.com
• 2d40bc08e5b696b523b8ea9fe48cfd8294d279cf745b91a4b68dbed208facf1f - Trickbot binary from carriereiter.com
• 5da547e87d6ef12349fb4dbba9cf3146a358e284f72361dd07bbabfc95b0bac3 - Trickbot binary from usdata.estoreseller.com

 

Shown above:  Artifacts from an infected Windows host.

 

IMAGES

Shown above:  Screenshot from one of the emails (1 of 8).

 

Shown above:  Screenshot from one of the emails (2 of 8).

 

Shown above:  Screenshot from one of the emails (3 of 8).

 

Shown above:  Screenshot from one of the emails (4 of 8).

 

Shown above:  Screenshot from one of the emails (5 of 8).

 

Shown above:  Screenshot from one of the emails (6 of 8).

 

Shown above:  Screenshot from one of the emails (7 of 8).

 

Shown above:  Screenshot from one of the emails (8 of 8).

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcaps:  2017-08-12-Trickbot-pcaps.zip   2.5 MB (2,511,906 bytes)
• Zip archive of the spreadsheet tracker:  2017-08-12-Trickbot-malspam-tracker.csv.zip   1.1 kB (1,131 bytes)
• Zip archive of the malware and artifacts:  2017-08-12-Trickbot-malspam-and-artifacts.zip   1.8 MB (1,770,188 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.