{"id":1019,"date":"2017-11-02T21:01:18","date_gmt":"2017-11-02T21:01:18","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=1019"},"modified":"2017-11-02T21:01:18","modified_gmt":"2017-11-02T21:01:18","slug":"2017-11-01-another-trickbot-maldoc","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=1019","title":{"rendered":"2017-11-01 Another Trickbot Maldoc"},"content":{"rendered":"

Looking through the email filters yesterday, I saw numerous emails from the sender “secure@hsbcdocuments.com” with the subject of “We need to confirm your details.” The email was a well laid out phish with a malicious Word document attached. This Word document led to a Trickbot banking malware infection via the use of a malicious macro instead of the use of the DDE attack vector. Initially when I was looking into these emails yesterday I was not seeing anything online about them. As part of my daily morning reading, I went to \u200e@dvk01uk<\/a>‘s site this morning and saw that it was already reported and written about. Looking over at Twitter, I saw Vitali Kremez (@VK_Intel<\/a>) had looked into this as well as you can see here<\/a>. The emails that I saw where primarily sent from the IP addresses of 185.106.121.47 and 185.2.81.202 and all of them had the same attachment to them as well – a Word document called “secure.doc.” <\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

What I was seeing from the emails matched exactly what they were seeing on their end (group_tag = ser1101). The only thing that stood out to me was the fact that the injectors used a folder called “services” in the “C:\\Users\\%username%\\AppData\\Roaming\\” folder where in the past it had used a folder called “winapp.” <\/p>\n

Since Trickbot is fairly well known and pretty well documented, I am not going to discuss it in depth. If you want some more information, then check out thee following links for some good reading\/insight:
\nhttp:\/\/www.zdnet.com\/article\/dyre-successor-trickbot-attacks-australian-banks\/<\/a>
\nhttp:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/08\/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data\/<\/a>
\nhttp:\/\/blog.fortinet.com\/2016\/12\/06\/deep-analysis-of-the-online-banking-botnet-trickbot<\/a><\/p>\n

And if you are wanting to figure out how to reverse engineer Trickbot, then check out the links below:
\nhttp:\/\/www.vkremez.com\/2017\/09\/lets-learn-reversing-trickbot-banking.html<\/a>
\nhttp:\/\/www.vkremez.com\/2017\/09\/lets-learn-trickbot-banking-trojan-adds.html<\/a>
\nhttp:\/\/qmemcpy.io\/post\/reverse-engineering-malware-trickbot-part-1-packer<\/a><\/p>\n

As usual, the PCAP, ProcMon logs, and artifacts from this investigation, please see my Github repo here<\/a>.<\/p>\n

IOCs:
\n=====
\n217.194.212.248 \/ rifweb.co.uk (GET \/ser1101.png)
\n94.23.230.159 \/ pizza24.fr (GET \/ser1101.png)
\n79.106.41.23 (TCP 449)
\n78.155.206.233 (TCP 447)
\n79.106.41.23 (TCP 449)<\/p>\n

Artifacts:
\n==========
\nFile name: secure.doc
\nFile size: 72KB
\nFile path: NA
\nMD5 hash: d6c7a690eac1009881ec6b43e09e3000
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/594bf62f52df202225eeda2903d5d7d2aa818e2b4d37085fc79704f7ac257969\/analysis\/<\/a>
\nDetection ratio: 21 \/ 59
\nFirst Detected: 2017-11-01 10:36:12 UTC
\nPayload Security: http:\/\/www.hybrid-analysis.com\/sample\/594bf62f52df202225eeda2903d5d7d2aa818e2b4d37085fc79704f7ac257969?environmentId=100<\/a><\/p>\n

File name: Lb-ua-cjtd.bat
\nFile size: 1KB
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp
\nMD5 hash: 90bca1b6075bdb075eaba0c92af4263a
\nVirustotal: NA
\nPayload Security: NA <\/p>\n

File name: q_kf7.exe
\nFile size: 454KB
\nFile path: C:\\Users\\%username%\\AppData\\Local\\Temp
\nMD5 hash: 2486a420f3918a2a1909992a88a87244
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/16446557906844e7c8b8e1f6481198e4b3d104eef6e269d43c7cedcf3f742dab\/analysis\/<\/a>
\nDectection ratio: 25 \/ 68
\nFirst Detected: 2017-11-01 10:58:51 UTC
\nPayload Security: http:\/\/www.hybrid-analysis.com\/sample\/16446557906844e7c8b8e1f6481198e4b3d104eef6e269d43c7cedcf3f742dab?environmentId=100<\/a><\/p>\n

File name: q_kf7.exe
\nFile size: 454KB
\nFile path: C:\\Users\\%username%\\AppData\\Roaming\\services
\nMD5 hash: 2486a420f3918a2a1909992a88a87244
\nVirustotal: http:\/\/www.virustotal.com\/en\/file\/16446557906844e7c8b8e1f6481198e4b3d104eef6e269d43c7cedcf3f742dab\/analysis\/<\/a>
\nDectection ratio: 25 \/ 68
\nFirst Detected: 2017-11-01 10:58:51 UTC
\nPayload Security: http:\/\/www.hybrid-analysis.com\/sample\/16446557906844e7c8b8e1f6481198e4b3d104eef6e269d43c7cedcf3f742dab?environmentId=100<\/a><\/p>\n

Analysis:
\n=========<\/p>\n

\"\"<\/a><\/p>\n

As I stated above, this infection was a pretty standard infection for Trickbot. One thing that I would like to comment on is the lack of persistence on my VM. Looking through the ProcMon logs, I did not see anything written to the registry or to Windows Task Scheduler to maintain persistence. I rebooted the VM to see if I could spot a SVCHOST.exe process that would be running and calling out over ports 447\/449 but I was not able to find anything. None of the files in the “services” folder were updated either (even after waiting 30+ minutes).<\/p>\n","protected":false},"excerpt":{"rendered":"

Looking through the email filters yesterday, I saw numerous emails from the sender “secure@hsbcdocuments.com” with the subject of “We need to confirm your details.” The email was a well laid out phish with a malicious Word document attached. This Word document led to a Trickbot banking malware infection via the use of a malicious macro instead of the use of the DDE attack vector. Initially when I was looking into these emails yesterday I was not seeing anything online about them. As part of my daily morning reading, I went to \u200e@dvk01uk‘s site this morning and saw that it was…<\/p>\n

Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[13],"class_list":["post-1019","post","type-post","status-publish","format-standard","hentry","category-packet-analysis","tag-trickbot"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1019","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1019"}],"version-history":[{"count":1,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1019\/revisions"}],"predecessor-version":[{"id":1025,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1019\/revisions\/1025"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1019"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}