Blog

Quick Heal Security Labs
An analysis of TrickBot Malware by Quick Heal Security Labs
August 4, 2017

trickbotmalware_quick_heal

TrickBot has been a busy malware in the last month because of its various polymorphic propagation methods and techniques. We have seen collective versions and the same medium of propagation – the spam emails. These emails contain attachments to download or a direct link to spread the malicious payload.

Trickbot is involved in stealing login details (personal sensitive information and authentication codes) of people related to banks. Till now we have seen its propagation through the file types listed below:

  1. VBS
  2. WSF
  3. PDF
  4. OLE

VBS, WSF, PDF, and OLE files download the payload from different malicious links to the targeted computer in an encrypted text format which is then decrypted and dropped into the %TEMP% location.

%TEMP%\<8 to 9 random_character>.exe  [PE File]

%TEMP%\<8 to 9 random_character>.exeA [Encrypted text file]

Examples

  1. %temp%\fungedsp8.exe [PE file]
  2. %temp%\rmpAYfLM.exe [PE file]

Some of the malicious hosts which the malware connects to

  1. hxxp://provisionbazaar.com/56evcxv?
  2. hxxp://pluzcoll.com/56evcxv?
  3. hxxp://autoecole-jeanlouis.com/sdfgdsg1?
  4. hxxp://aprendersalsa.com/nhg67r?
  5. hxxp://ctinfotech.com/98tf77b
  6. hxxp://skynetwork.com.au/nc367f3n

The below chart shows the email subjects and attachments with various names

File Type Email Subject Attachment Name
VBS blank subject line doc<10_digits>.zip
WSF Voice Message Attached from <11_digits> – name unavailable <11_digits>_<07_digits>_<06_digits>.zip
PDF Emailing: <8_digits> <8_digits>.PDF
OLE Account secure documents PaymentAdvice.doc

Fig 1

The below chart shows the recent trend of spam emails received in Quick Heal Security Labs from 18th to 31st July 2017.

trickbotmalware1

Fig 2

Quick Heal Detection
Quick Heal proactively blocks the malicious emails related to the TrickBot malware and successfully detects the malicious files as shown below.

Fig 3

Fig 3

Trends to watch out for

  • The same malware is propagating through different ways to have maximum probability to get executed on the victim’s machine and get through the company’s authentication system and use them to for nefarious purposes.
  • Malicious emails are increasingly using social engineering methods to trick victims into opening attachments.

Security steps to follow

  1. Any email attachment having the below extensions should not be executed directly:

.js/.exe/.com/.pif/.scr/.hta/.vbs/.wsf/.jse/.jar

  1. When you receive an email, check if it is from a genuine source and scan it with your updated antivirus software.
  2. Never enable macros or editing mode if any document asks you to do so.
  3. Apply recommended security updates for your computer’s Operating System and all other programs such as Adobe, Java, Internet browsers, etc.

 

Acknowledgment

  • Subject Matter Experts
    Swati Gaikwad, Nayan Vairagi | Quick Heal Security Labs

 

 

SHARE THIS STORY

Have something to add to this story? Share it in the comments.

Quick Heal Security Labs
About Quick Heal Security Labs
Quick Heal Threat Research Labs provides detailed analysis of current malware trends, threats, vulnerabilities and recent cyber-attacks. The Labs’ reports help...
Articles by Quick Heal Security Labs »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image