TrickBot Trojan was first identified in mid-2016 and considered similar to the Dyreza banking Trojan. Initially, the payload (the component of a computer virus that executes a malicious activity) was spreading through a malvertising campaign using the Rig Exploit Kit. From our current findings, we have found that TrickBot has changed its propagation technique and is now spreading using the Necurs Botnet (a distributor of many pieces of malware including ransomware).
1) Earlier we had discovered a malspam (malware that is delivered via email messages) campaign that was delivering the TrickBot Trojan. It contained blank emails with no subject line.
It had scan_RandomNo.doc as a file attachment [e.g. – SCAN_4744.doc , SCAN_1254.doc]
Fig 1. A blank email with SCAN_4744.doc as an attachment.
The doc file contains embedded macro and its functionality was similar to that of the Dridex family.
2) Presently, this malspam campaign is now using zip attachments having keywords such as invoice as shown below.
Fig 2. Email containing a .zip attachment
Invoicepis_RandomNo.zip contains another .zip which has script file with an .wsf extension
This .wsf file is executed using Windows ‘wscript.exe’and downloads extension-less encoded file in %temp% folder which is then decoded in the same location as same_file_name.exe. It then copies itself into the‘%appdata%\winapp’ folder.
In addition to this, it downloads two additional components such as ‘client_id’ & ‘group_tag’.
- ‘client_id’ has information such as the name of the victim’s machine, OS version, etc.
- ‘group_tag’contain value such as ‘mac1’.
This Trojan also inject DLLs into the installed browsers of the infected machine to steal information such as usernames, passwords, etc.
In addition to this, we have also observed that a few .wsf files received during our analysis of this malspam campaign are spreading a new variant of JAFF ransomware.
3) On 14.06.17, we have observed another malspam campaign delivering TrickBot.
Fig 4. Email containing zip as an attachment
Emails delivered through this new malspam campaign contain RandomNo.zip having .docm file.
- .docm has embedded macro which when enabled downloads and installs components of the TrickBot Trojan on the infected machine.
Quick Heal Detection
1. Quick Heal has detection for .doc, .wsf and the downloaded payload files.
2. Quick Heal Behavioral-based detection successfully detects the malicious activities of TrickBot.
1) Avoid opening email attachments received from unknown, unwanted or unexpected sources.
2) Open all Microsoft documents, PDF files, etc., received as email attachments only in ‘Protected View’.
Subject Matter Expert
Smita Kuyte | Quick Heal Security Labs