An analysis of TrickBot Malware by Quick Heal Security Labs
TrickBot has been a busy malware in the last month because of its various polymorphic propagation methods and techniques. We have seen collective versions and the same medium of propagation – the spam emails. These emails contain attachments to download or a direct link to spread the malicious payload.
Trickbot is involved in stealing login details (personal sensitive information and authentication codes) of people related to banks. Till now we have seen its propagation through the file types listed below:
- VBS
- WSF
- OLE
VBS, WSF, PDF, and OLE files download the payload from different malicious links to the targeted computer in an encrypted text format which is then decrypted and dropped into the %TEMP% location.
%TEMP%\<8 to 9 random_character>.exe [PE File]
%TEMP%\<8 to 9 random_character>.exeA [Encrypted text file]
Examples
- %temp%\fungedsp8.exe [PE file]
- %temp%\rmpAYfLM.exe [PE file]
Some of the malicious hosts which the malware connects to
- hxxp://provisionbazaar.com/56evcxv?
- hxxp://pluzcoll.com/56evcxv?
- hxxp://autoecole-jeanlouis.com/sdfgdsg1?
- hxxp://aprendersalsa.com/nhg67r?
- hxxp://ctinfotech.com/98tf77b
- hxxp://skynetwork.com.au/nc367f3n
The below chart shows the email subjects and attachments with various names
| File Type | Email Subject | Attachment Name |
| VBS | blank subject line | doc<10_digits>.zip |
| WSF | Voice Message Attached from <11_digits> – name unavailable | <11_digits>_<07_digits>_<06_digits>.zip |
| Emailing: <8_digits> | <8_digits>.PDF | |
| OLE | Account secure documents | PaymentAdvice.doc |
Fig 1
The below chart shows the recent trend of spam emails received in Quick Heal Security Labs from 18th to 31st July 2017.
Fig 2
Quick Heal Detection
Quick Heal proactively blocks the malicious emails related to the TrickBot malware and successfully detects the malicious files as shown below.
Fig 3
Trends to watch out for
- The same malware is propagating through different ways to have maximum probability to get executed on the victim’s machine and get through the company’s authentication system and use them to for nefarious purposes.
- Malicious emails are increasingly using social engineering methods to trick victims into opening attachments.
Security steps to follow
- Any email attachment having the below extensions should not be executed directly:
.js/.exe/.com/.pif/.scr/.hta/.vbs/.wsf/.jse/.jar
- When you receive an email, check if it is from a genuine source and scan it with your updated antivirus software.
- Never enable macros or editing mode if any document asks you to do so.
- Apply recommended security updates for your computer’s Operating System and all other programs such as Adobe, Java, Internet browsers, etc.
Acknowledgment
- Subject Matter Experts
Swati Gaikwad, Nayan Vairagi | Quick Heal Security Labs
No Comments, Be The First!