TrickBot spread by Necurs botnet, adds Nordic countries to its targets

At around 09:00 BST yesterday, Forcepoint Security Labs™ observed a significant malicious email campaign from the Necurs botnet. Necurs is a prevalent botnet that is known to spreading Locky ransomware, pump-and-dump stock scams, and more recently the Jaff ransomware. This time Necurs has been seen spreading the Trickbot cyberbanking Trojan, complete with an updated set of targets.

The malicious email campaign ended at around 18:00 yesterday and nearly 9.6M related emails were captured and stopped by our system. The post-obit is a sample screenshot of a related electronic mail:

In improver, below are details of this entrada:

Subject Zipper Activity Flow (BST)
{2 digits}_Invoice_{four digits} {three digits}_{iv digits}.pdf 09:00 – 15:00
{eight digits}.pdf {eight digits}.pdf 11:00 – xiii:00
{bare subject area} SCAN_{four digits}.doc 13:00 – eighteen:00

For the commencement two email subjects above, the infection concatenation is identical to what we have documented for Jaff – an attached PDF file contains a document file with a macro downloader which in turn downloads the Trickbot trojan.

Emails with blank discipline, on the other hand, independent a certificate file with a macro downloader instead of a PDF.

Trickbot continues to aggrandize its targets

Trickbot is a relatively new malware family that is believed to be a successor of the infamous Dyre family. It surfaced in in the wild in September last yr, initially targeting banks in Australia and the UK. It has since continually expanded its target countries and banks.

The new entrada from yesterday contained the group tag “mac1”. It downloaded configuration files that independent an updated listing of targeted financial institutions. From 51 targeted URLs listed in the “dinj” configuration file just terminal April, the configuration file now holds 130 targeted URLs. Amidst these updates are 16 targeted French banks which were prepended to the configuration file. Beneath is a screenshot of the decrypted configuration file showing this update:

Furthermore, the configuration file now also lists a number of PayPal URLs:

Another configuration file (“sinj”) has similarly been expanded: where it previously listed 109 targeted URLs, the updated one lists 333 URLs. This configuration now includes websites of thirty-four fiscal institutions in Sweden, Kingdom of norway, Finland and Denmark.

Protection argument

Forcepoint™ customers are protected against this threat via Forcepoint Cloud Security, which includes the Advanced Classification Engine (ACE) as part of e-mail service, web and NGFW security products. ACE (as well known every bit Triton ACE) provides signature-less analytics to identify malicious intent, including evasion techniques to mask the malware.

Protection is in place at the following stages of attack:

Phase 2 (Lure)
– Malicious e-mails associated with this attack are identified and blocked.
Stage 5 (Dropper File)
– Trickbot variants are prevented from existence downloaded.
Phase 6 (Phone call Home)
– Attempts past Trickbot to contact its C&C server are blocked.

Conclusion

Trickbot’s use of the Necurs botnet to spread itself combined with the expansion of its targeted countries and financial institutions is a clear attempt to escalate its global operations. Malicious electronic mail campaigns such as these rely on the weakness of the homo point of interaction with systems, with the final payload in this case likely having severe ramifications for those who autumn prey to it.

We anticipate that Trickbot will simply keep to aggrandize its targets and Forcepoint Security Labs™ will continue to monitor developments to this threat.

Additional analysis provided past Ran Mosessco.

Indicators of Compromise

Download locations

hxxp://mybutterhalf[.]com/7gyb3ds hxxp://manish-choudhary[.]com/7gyb3ds hxxp://choralia[.]net/7gyb3ds hxxp://chqm168[.]com/7gyb3ds hxxp://shopf3[.]com/7gyb3ds hxxp://beursgays[.]com/7gyb3ds hxxp://shreekamothe[.]com/7gyb3ds hxxp://micolon[.]de/7gyb3ds hxxp://mytraveltrip[.]in/7gyb3ds hxxp://xinding[.]com/7gyb3ds hxxp://musee-champollion[.]fr/7gyb3ds hxxp://svagin[.]dk/7gyb3ds hxxp://spocom[.]de/7gyb3ds hxxp://muldefischer[.]de/7gyb3ds

Trickbot C2

185.6.127[.]134 149.202.30[.]126 212.24.110[.]76

Trickbot SHA-256 Hash

79d96a62622e4efb01fda23cf81b759e0059ad3cd3083acff7fb4174b0b3d40c

Source: https://www.forcepoint.com/blog/x-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …