TrickBot has been a busy malware in the last month because of its various polymorphic propagation methods and techniques. We have seen collective versions and the same medium of propagation – the spam emails. These emails contain attachments to download or a direct link to spread the malicious payload.
Trickbot is involved in stealing login details (personal sensitive information and authentication codes) of people related to banks. Till now we have seen its propagation through the file types listed below:
VBS, WSF, PDF, and OLE files download the payload from different malicious links to the targeted computer in an encrypted text format which is then decrypted and dropped into the %TEMP% location.
%TEMP%\<8 to 9 random_character>.exe [PE File]
%TEMP%\<8 to 9 random_character>.exeA [Encrypted text file]
Some of the malicious hosts which the malware connects to
The below chart shows the email subjects and attachments with various names
|File Type||Email Subject||Attachment Name|
|VBS||blank subject line||doc<10_digits>.zip|
|WSF||Voice Message Attached from <11_digits> – name unavailable||<11_digits>_<07_digits>_<06_digits>.zip|
|OLE||Account secure documents||PaymentAdvice.doc|
The below chart shows the recent trend of spam emails received in Quick Heal Security Labs from 18th to 31st July 2017.
Quick Heal Detection
Quick Heal proactively blocks the malicious emails related to the TrickBot malware and successfully detects the malicious files as shown below.
Trends to watch out for
Security steps to follow