An analysis of TrickBot Malware by Quick Heal Security Labs

Credit to Author: Quick Heal Security Labs| Date: Fri, 04 Aug 2017 04:30:42 +0000

TrickBot has been a busy malware in the last month because of its various polymorphic propagation methods and techniques. We have seen collective versions and the same medium of propagation – the spam emails. These emails contain attachments to download or a direct link to spread the malicious payload. Trickbot is involved in stealing login details (personal sensitive information and authentication codes) of people related to banks. Till now we have seen its propagation through the file types listed below: VBS WSF PDF OLE VBS, WSF, PDF, and OLE files download the payload from different malicious links to the targeted computer in an encrypted text format which is then decrypted and dropped into the %TEMP% location. %TEMP%<8 to 9 random_character>.exe  [PE File] %TEMP%<8 to 9 random_character>.exeA [Encrypted text file] Examples %temp%fungedsp8.exe [PE file] %temp%rmpAYfLM.exe [PE file] Some of the malicious hosts which the malware connects to hxxp://provisionbazaar.com/56evcxv? hxxp://pluzcoll.com/56evcxv? hxxp://autoecole-jeanlouis.com/sdfgdsg1? hxxp://aprendersalsa.com/nhg67r? hxxp://ctinfotech.com/98tf77b hxxp://skynetwork.com.au/nc367f3n The below chart shows the email subjects and attachments with various names File Type Email Subject Attachment Name VBS blank subject line doc<10_digits>.zip WSF Voice Message Attached from <11_digits> – name unavailable <11_digits>_<07_digits>_<06_digits>.zip PDF Emailing: <8_digits> <8_digits>.PDF OLE Account secure documents PaymentAdvice.doc Fig 1 The below chart shows the recent trend of spam emails received in Quick Heal Security Labs from 18th to 31st July 2017. Fig 2 Quick Heal Detection Quick Heal proactively blocks the malicious emails related to the TrickBot malware and successfully detects the malicious files as shown below. Fig 3 Trends to watch out for The same malware is propagating through different ways to have maximum probability to get executed on the victim’s machine and get through the company’s authentication system and use them to for nefarious purposes. Malicious emails are increasingly using social engineering methods to trick victims into opening attachments. Security steps to follow Any email attachment having the below extensions should not be executed directly: .js/.exe/.com/.pif/.scr/.hta/.vbs/.wsf/.jse/.jar When you receive an email, check if it is from a genuine source and scan it with your updated antivirus software. Never enable macros or editing mode if any document asks you to do so. Apply recommended security updates for your computer’s Operating System and all other programs such as Adobe, Java, Internet browsers, etc.   Acknowledgment Subject Matter Experts Swati Gaikwad, Nayan Vairagi | Quick Heal Security Labs    
http://blogs.quickheal.com/feed/