Blog

Quick Heal Security Labs
Beware! The TrickBot Trojan is back
June 16, 2017

trickbot_trojan_quick_heal_antivirus

TrickBot Trojan was first identified in mid-2016 and considered similar to the Dyreza banking Trojan. Initially, the payload (the component of a computer virus that executes a malicious activity) was spreading through a malvertising campaign using the Rig Exploit Kit. From our current findings, we have found that TrickBot has changed its propagation technique and is now spreading using the Necurs Botnet (a distributor of many pieces of malware including ransomware).

1) Earlier we had discovered a malspam (malware that is delivered via email messages) campaign that was delivering the TrickBot Trojan. It contained blank emails with no subject line.

It had scan_RandomNo.doc as a file attachment [e.g. – SCAN_4744.doc , SCAN_1254.doc]

trickbot1

Fig 1. A blank email with SCAN_4744.doc as an attachment.

The doc file contains embedded macro and its functionality was similar to that of the Dridex family.

2) Presently, this malspam campaign is now using zip attachments having keywords such as invoice as shown below.

trickbot2Fig 2. Email containing a .zip attachment

Invoicepis_RandomNo.zip contains another .zip which has script file with an .wsf extension

trickbot3

Fig 3

This .wsf file is executed using Windows ‘wscript.exe’and downloads extension-less encoded file in %temp% folder which is then decoded in the same location as same_file_name.exe. It then copies itself into the‘%appdata%\winapp’ folder.

In addition to this, it downloads two additional components such as ‘client_id’ & ‘group_tag’.

  • ‘client_id’ has information such as the name of the victim’s machine, OS version, etc.
  • ‘group_tag’contain value such as ‘mac1’.

This Trojan also inject DLLs into the installed browsers of the infected machine to steal information such as usernames, passwords, etc.

In addition to this, we have also observed that a few .wsf files received during our analysis of this malspam campaign are spreading a new variant of JAFF ransomware.

3) On 14.06.17, we have observed another malspam campaign delivering TrickBot.

 trickbot4Fig 4. Email containing zip as an attachment

trickbot5

Fig 5

Emails delivered through this new malspam campaign contain RandomNo.zip having .docm file.

  • .docm has embedded macro which when enabled downloads and installs components of the TrickBot Trojan on the infected machine.

Quick Heal Detection

1. Quick Heal has detection for .doc, .wsf and the downloaded payload files.

trickbot6Fig 6

trickbot7Fig 7

2. Quick Heal Behavioral-based detection successfully detects the malicious activities of TrickBot.

trickbot8Fig 8

Precautionary Measures

1) Avoid opening email attachments received from unknown, unwanted or unexpected sources.

2) Open all Microsoft documents, PDF files, etc., received as email attachments only in ‘Protected View’.

 

Acknowledgement

Subject Matter Expert
Smita Kuyte | Quick Heal Security Labs

SHARE THIS STORY

Have something to add to this story? Share it in the comments.

Quick Heal Security Labs
About Quick Heal Security Labs
Quick Heal Threat Research Labs provides detailed analysis of current malware trends, threats, vulnerabilities and recent cyber-attacks. The Labs’ reports help...
Articles by Quick Heal Security Labs »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image