2018-05-01 - TRICKBOT FROM MALSPAM, SUBJECT: FW: ACCOUNT DOCUMENTS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the traffic:  2018-05-01-Trickbot-infection-traffic.pcap.zip   6.5 MB (6,501,990 bytes)

• 2018-05-01-Trickbot-infection-traffic.pcap   (7,121,402 bytes)

• Zip archive of the email:  2018-05-01-Trickbot-malspam-1133-UTC.eml.zip   38 kB (38,222 bytes)

• 2018-05-01-Trickbot-malspam-1133-UTC.eml   (116,476 bytes)

• Zip archive of the malware and artifacts:  2018-05-01-malware-and-artifacts-from-Trickbot-infection.zip   422 kB (421,620 bytes)

• 2018-05-01-Trickbot-artifact.txt   (329 bytes)
• 2018-05-01-Trickbot-binary-1-of-2.exe   (270,336 bytes)
• 2018-05-01-Trickbot-binary-2-of-2.exe   (372,224 bytes)
• 2018-05-01-Trickbot-malspam-attached-RTF-file.doc   (62,492 bytes)
• 2018-05-01-scheduled-task-to-keep-Trickbot-persistent.txt   (3,676 bytes)

NOTES:

• This post was delayed a day, because I was busy with other things.
• My thanks to @dvk01uk for Wednesday's blog post on My Online Security.
• For the past few weeks, Trickbot malspam has been using RTF attachments exploiting CVE-2017-11882.
• These RTF attachments are disguised as Microsoft Word documents, because they use the .doc file extension.
• Information on this Trickbot binary's configuration is available at this page on Github by @JR0driguezB.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

• hxxp[:]//tasfitness[.]com/2593f737367806c10fb5aa7766eda1ea4a.bin
• hxxp[:]//opticsigns[.]com/2593f737367806c10fb5aa7766eda1ea4a.bin
• hxxp[:]//46.161.39[.]175/table.png
• hxxp[:]//46.161.39[.]175/toler.png
• hxxp[:]//193.233.62[.]81/526.png

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

Received: from santander-bank[.]co[.]uk (unknown [128.127.108[.]227])
        by [removed] for [removed]; Tue, 1 May 2018 18:41:12 +0700 (WIB)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=santander-bank[.]co[.]uk;
 h=Mime-Version:Subject:From:Date:To:Content-Type:Message-ID;
 bh=ejKKHFcJirhlS5iAlWanrKPxCG8=;
 b=Apz+AO1YOiBWaxpz8Ec6NlMRyqEMSv/OEh4xSjpC3BSjKEGyX2Ne0iuDUF/P0ybaxeUKkF+x0Ez7
   wzMHw2bLhSz+fTeLMRhEL6bId+lafRAAnD2iaOVnI8SLONPTsRtZ2+ZTl340x3cyBrFodl0/hOXU
   K851ysBuZDS/9aiXpP4=
Received: by santander-bank[.]co[.]uk id ht196nocte0i for [removed]; Tue, 1 May 2018 07:33:09 -0400 (envelope-from <noreply-[recipient's email address]@santander-bank[.]co[.]uk>)
Mime-Version: 1.0
Subject:  FW: Account Documents
From: "Santander" <noreply@santander-bank[.]co[.]uk>
Date: Tue, 1 May 2018 07:33:09 -0400
To: [removed]
Content-Type: multipart/mixed;
 boundary=01b8f130f133240b42a2a8ce9c735cd9
Message-ID: <0.0.0.0.1D3E1402E438116.43E88E4@santander-bank[.]co[.]uk>

 

Shown above:  RTF document attached to the malspam.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

• 192.185.21[.]14 port 80 - tasfitness[.]com - GET /2593f737367806c10fb5aa7766eda1ea4a.bin
• port 80 - api.ipify[.]org - GET /   (IP address check by the infected host)
• 69.122.117[.]95 port 449 - SSL/TLS traffic caused by Trickbot
• 95.213.200[.]40 port 447 - SSL/TLS traffic caused by Trickbot
• 69.122.117[.]95 port 449 - SSL/TLS traffic caused by Trickbot
• 46.161.39[.]175 port 80 - 46.161.39[.]175 - GET /table.png
• 46.161.39[.]175 port 80 - 46.161.39[.]175 - GET /toler.png
• 46.161.39[.]175 port 80 - 46.161.39[.]175 - GET /toler.png
• 193.233.62[.]81 port 80 - 193.233.62[.]81 - GET /526.png
• port 80 - icanhazip[.]com - GET /   (IP address check by the infected host)
• 118.91.178[.]106 port 449 - SSL/TLS traffic caused by Trickbot
• 68.227.31[.]46 port 449 - SSL/TLS traffic caused by Trickbot

 

FILE HASHES

RTF ATTACHMENT FROM THE MALSPAM:

• SHA256 hash:  800150b0ecd5d7552f6d2714306c7ecc8df539bb358df48568265f7d405d2052
  File size:  62,492 bytes
  File name:  AccountDocuments.doc
  File description:  RTF file with CVE-2017-11882 exploit for Microsoft Office

TRICKBOT BINARY (1 OF 2):

• SHA256 hash:  555c88051ccfa891550c7c149ee4d95843923bc8d98e9731ffb7e04004bb3d5d
  File size:  270,336 bytes
  File location:  C:\Users\[username]\AppData\Roaming\LogMonitor\odotpeak.exe
  File description:  Trickbot malware (Windows executable file)

TRICKBOT BINARY (2 OF 2):

• SHA256 hash:  6d57b3dfa296d9c296819ea4d89794aa8ada1f36edcf3134924c1a6460be7bc2
  File size:  372,224 bytes
  File location:  C:\Users\[username]\AppData\Roaming\LogMonitor\odotpeak.exe
  File description:  Trickbot malware (Windows executable file)

Shown above:  Trickbot malware persistent on the infected Windows host.

 

Click here to return to the main page.