{"id":84409,"date":"2017-06-16T20:15:22","date_gmt":"2017-06-16T14:45:22","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84409"},"modified":"2017-06-16T20:15:22","modified_gmt":"2017-06-16T14:45:22","slug":"beware-trickbot-trojan-back","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/beware-trickbot-trojan-back\/","title":{"rendered":"Beware! The TrickBot Trojan is back"},"content":{"rendered":"<p><strong>TrickBot Trojan<\/strong> was first identified in mid-2016 and considered similar to the Dyreza banking Trojan. Initially, the payload (<em>the<\/em> <em>component of a computer virus that executes a malicious activity<\/em>) was spreading through a malvertising campaign using the Rig Exploit Kit. From our current findings, we have found that TrickBot has changed its propagation technique and is now spreading using the Necurs Botnet (<em>a distributor of many pieces of malware including ransomware<\/em>).<\/p>\n<p>1) Earlier we had discovered a malspam (<em>malware that is delivered via email messages<\/em>) campaign that was delivering the TrickBot Trojan. It contained blank emails with no subject line.<\/p>\n<p>It had <strong>scan_RandomNo.doc<\/strong> as a file attachment [e.g. &#8211; <em>SCAN_4744.doc , SCAN_1254.doc<\/em>]<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-84410 aligncenter\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/TrickBot1.png\" alt=\"trickbot1\" width=\"388\" height=\"308\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot1.png 388w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot1-300x238.png 300w\" sizes=\"(max-width: 388px) 100vw, 388px\" \/><\/p>\n<p style=\"text-align: center\">Fig 1. A blank email with <strong>SCAN_4744.doc<\/strong> as an attachment.<\/p>\n<p>The doc file contains embedded macro and its functionality was similar to that of the Dridex family.<\/p>\n<p>2) Presently, this malspam campaign is now using zip attachments having keywords such as <strong>invoice<\/strong> as shown below.<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-84411 aligncenter\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/TrickBot2.png\" alt=\"trickbot2\" width=\"393\" height=\"311\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot2.png 393w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot2-300x237.png 300w\" sizes=\"(max-width: 393px) 100vw, 393px\" \/>Fig 2. Email containing a .zip attachment<\/p>\n<p>Invoicepis_RandomNo.zip contains another .zip which has script file with an .wsf extension<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-84412 aligncenter\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/TrickBot3.png\" alt=\"trickbot3\" width=\"625\" height=\"52\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot3.png 625w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot3-300x25.png 300w\" sizes=\"(max-width: 625px) 100vw, 625px\" \/><\/p>\n<p style=\"text-align: center\">Fig 3<\/p>\n<p>This .wsf file is executed using Windows \u2018wscript.exe\u2019and downloads extension-less encoded file in %temp% folder which is then decoded in the same location as same_file_name.exe. It then copies itself into the\u2018%appdata%\\winapp\u2019 folder.<\/p>\n<p>In addition to this, it downloads two additional components such as \u2018client_id\u2019 &amp; \u2018group_tag\u2019.<\/p>\n<ul>\n<li>\u2018client_id\u2019 has information such as the name of the victim\u2019s machine, OS version, etc.<\/li>\n<li>\u2018group_tag\u2019contain value such as \u2018mac1\u2019.<\/li>\n<\/ul>\n<p>This Trojan also inject DLLs into the installed browsers of the infected machine to steal information such as usernames, passwords, etc.<\/p>\n<p>In addition to this, we have also observed that a few .wsf files received during our analysis of this malspam campaign are spreading a new variant of <a href=\"https:\/\/blogs.quickheal.com\/pdf-files-embedded-docm-files-now-deliver-jaff-ransomware\/\">JAFF ransomware<\/a>.<\/p>\n<p>3) On 14.06.17, we have observed another malspam campaign delivering TrickBot.<\/p>\n<p style=\"text-align: center\"><strong>\u00a0<img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-84414 aligncenter\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/TrickBot4.png\" alt=\"trickbot4\" width=\"433\" height=\"325\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot4.png 433w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot4-300x225.png 300w\" sizes=\"(max-width: 433px) 100vw, 433px\" \/><\/strong>Fig 4. Email containing zip as an attachment<\/p>\n<p><strong><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-84415 aligncenter\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/TrickBot5.png\" alt=\"trickbot5\" width=\"538\" height=\"53\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot5.png 538w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot5-300x30.png 300w\" sizes=\"(max-width: 538px) 100vw, 538px\" \/><\/strong><\/p>\n<p style=\"text-align: center\">Fig 5<\/p>\n<p>Emails delivered through this new malspam campaign contain RandomNo.zip having .docm file.<\/p>\n<ul>\n<li>.docm has embedded macro which when enabled downloads and installs components of the TrickBot Trojan on the infected machine.<\/li>\n<\/ul>\n<p><strong>Quick Heal Detection<\/strong><\/p>\n<p>1. Quick Heal has detection for .doc, .wsf and the downloaded payload files.<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-84417 aligncenter\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/TrickBot6.png\" alt=\"trickbot6\" width=\"315\" height=\"166\" \/>Fig 6<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-84416 aligncenter\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/TrickBot7.png\" alt=\"trickbot7\" width=\"287\" height=\"149\" \/>Fig 7<\/p>\n<p style=\"text-align: left\">2. <a href=\"https:\/\/www.quickheal.co.in\/home-users\/quick-heal-total-security\">Quick Heal<\/a> Behavioral-based detection successfully detects the malicious activities of TrickBot.<\/p>\n<p style=\"text-align: center\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-84418 aligncenter\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/06\/TrickBot8.png\" alt=\"trickbot8\" width=\"457\" height=\"263\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot8.png 457w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/06\/TrickBot8-300x173.png 300w\" sizes=\"(max-width: 457px) 100vw, 457px\" \/>Fig 8<\/p>\n<p><strong>Precautionary Measures<\/strong><\/p>\n<p>1) Avoid opening email attachments received from unknown, unwanted or unexpected sources.<\/p>\n<p>2) Open all Microsoft documents, PDF files, etc., received as email attachments only in \u2018Protected View\u2019.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Acknowledgement<\/strong><\/p>\n<p>Subject Matter Expert<br \/>\nSmita Kuyte | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"<p>TrickBot Trojan was first identified in mid-2016 and considered similar to the Dyreza banking Trojan. Initially, the payload (the component of a computer virus that executes a malicious activity) was spreading through a malvertising campaign using the Rig Exploit Kit. From our current findings, we have found that TrickBot has changed its propagation technique and [&hellip;]<\/p>\n","protected":false},"author":29,"featured_media":84419,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[133,303,910,5],"tags":[1139,1460,40],"class_list":["post-84409","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacker","category-phishing","category-ransomware","category-security","tag-banking-trojan","tag-trickbot-trojan","tag-trojan"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84409"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84409"}],"version-history":[{"count":1,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84409\/revisions"}],"predecessor-version":[{"id":84420,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84409\/revisions\/84420"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84419"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}