2018-04-16 - QUICK POST: TRICKBOT MALSPAM AND TRAFFIC

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

• 2018-04-16-Trickbot-malspam-1155-UTC.eml.zip   26 kB (26,302 bytes)
• 2018-04-16-Trickbot-malspam-infection-traffic.pcap.zip   4.3 MB (4,273,471 bytes)
• 2018-04-16-Trickbot-infection-malware-and-artifacts.zip   410 kB (409,952 bytes)

NOTES:

• Following up on today's post by My Online Security about fake Royal Bank of Scotland emails delivering Trickbot banking trojan via Microsoft Equation Editor exploit.

 

IMAGES

Shown above:  Screenshot of the email.

 

Shown above:  Opening the attached file on a vulnerable Windows host.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Artifacts found on the infected Windows host (1 of 2).

 

Shown above:  Artifacts found on the infected Windows host (2 of 2).

 

Shown above:  Scheduled task to ensure persistence on the infected Windows host.

 

Click here to return to the main page.