Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Malspam pushing Trickbot gtag rob13 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malspam pushing Trickbot gtag rob13

Introduction

Trickbot malware has been a relatively constant presence in the cyber threat landscape so far this year.  We've seen activity continue this week, and today's diary reviews an infection I generated on Wednesday 2021-02-17.

The infection chain of events:

malicious spam (malspam) --> attachment (Excel spreadsheet) --> enable macros --> URL for Trickbot DLL --> post-infection activity

 

The email


Shown above:  Screenshot from an example of malspam seen earlier today (Wednesday 2021-02-17).

The spreadsheet


Shown above:  Screenshot of the attached Excel spreadsheet with macros for Trickbot.

Infection traffic


Shown above:  Traffic from an infection filtered in Wireshark.

Forensics on an infected Windows host


Shown above:  Initial Trickbot binary retrieved by the Excel macro.


Shown above:  Scheduled task for Trickbot.

In the above image (double-click on it to get a higher-resolution picture), you can see the Trickbot DLL is not where the scheduled task points to.  When I restarted the infected host, it gave me an error saying it couldn't run the task.  I've noticed this during the past several months from Trickbot infections that use a DLL file as the initial binary.  Unfortunately, I don't know why this happens.

Indicators of Compromise (IOCs)

EXAMPLES OF SUBJECT LINES AND REPLY-TO ADDRESSES:

  • Subject: DocuSign: Equipment # 1332
  • Subject: DocuSign: Equipment # 9448
  • Subject: DocuSign: Equipment # 9722
  • Subject: DocuSign: Equipment # 12169
  • Subject: DocuSign: Equipment # 23863
  • Reply-To: Lease Consultants <cloying@docusign.net>
  • Reply-To: Lease Consultants <dianoetic@docusign.net>
  • Reply-To: Lease Consultants <modicum@docusign.net>
  • Reply-To: Lease Consultants <omidyar@docusign.net>
  • Reply-To: Lease Consultants <rumery@docusign.net>
  • Note: Sending addresses may have been from email accounts that were compromised.

FILE HASHES FROM ATTACHMENTS SUBMITTED TO VIRUSTOTAL:

07d35c57585b6bd3a5e77be4e8c7d97725ad3646694d7b9cc61dbc058006450a  DocuSign_649568847_1582762946.xls
393bc60e292c3e24ab70c459ba1c595daaae68df94a75ebe571d3e75a0fe8109  DocuSign_484590053_1220881832.xls
64392b7c699791e4dddde1a1754d157c284dcc4d54e9cb8974ea661f6443ce86  DocuSign_463828509_1320623172.xls
713a539daad692c8e284718ad73c128128e8257b3c41b233d2f810717df873b7  DocuSign_2026401106_1090792446.xls
99316adbb0514f099d44bf8655486c2332eb5f3f821b80b2c0a6a85b652312e6  DocuSign_649568847_1582762946.xls
9bf4196e8fb7c4ac3be72f79f13697656145ee1cc93bb7c7a31d93ea75bbcae3  DocuSign_1264755469_604175183.xls
9fbbb8b4025b2e46429594b946d2ba74ce381e4c2968966e9a65ffd81791baa1  DocuSign_1283716068_336411873.xls
bc033032b6d2afcea2a07f4b5eb5de3137c9fc83c1302fe28a781137168884eb  DocuSign_1993467225_1309843348.xls
bc47683422d0021b2b27b551d81058213fa4d000c544b617adf1bb7b94d5f4a9  DocuSign_558551337_1625623689.xls
f391892523950617f98dd08c5e1e8ffa58f8985f7527d5ffe735944db72a312f  DocuSign_1237489607_947076939.xls

 

MALWARE FROM AN INFECTED WINDOWS HOST:

SHA256 hash: bc033032b6d2afcea2a07f4b5eb5de3137c9fc83c1302fe28a781137168884eb

  • File size: 168,960 bytes
  • File name: DocuSign_1993467225_1309843348.xls
  • File description: Excel spreadsheet with macros for Trickbot gtag rob13

SHA256 hash: e1b67bd8b15bcd422fcbc74fa3b691c40c527ffedc951a6bb8e67ca257240d16

  • File size: 698,880 bytes
  • File location: hxxps://destinostumundo[.]com/layout/recruter.php
  • File location: C:\Users\[username]\HGrt.foste
  • File description: Initial Trickbot gtag rob13 binary (DLL file)
  • Run method: rundll32.exe [file name],DllRegisterServer1

SHA256 hash: 24bd33f4ba457d77d796620a2cd4b7a3e38d63e2286fec752d898ab7c5204e4b

  • File size: 864,256 bytes
  • File location: hxxp://195.123.208[.]170/images/control.png
  • File description: Follow-up Trickbot EXE file, gtag tot43

SHA256 hash: f0391039f888fb30566295365420868ac8539075e25a690ac4400a8bb91eb803

  • File size: 864,256 bytes
  • File location: hxxp://195.123.208[.]170/images/scroll.png
  • File description: Follow-up Trickbot EXE file, gtag lib43

TRAFFIC TO RETRIEVE THE INITIAL TRICKBOT BINARY (A DLL FILE):

  • 98.142.109[.]186 port 80 - destinostumundo[.]com - GET /layout/recruter.php
  • 98.142.109[.]186 port 443 (HTTPS) - destinostumundo[.]com - GET /layout/recruter.php

POST-INFECTION TRAFFIC FOR TRICKBOT:

  • 108.170.20[.]72 port 443 - HTTPS traffic
  • 179.191.108[.]58 port 449 - HTTPS traffic
  • port 80 - checkip.amazonaws.com - GET /
  • 177.87.0[.]7 port 447 - HTTPS traffic
  • 103.102.220[.]50 port 443 - 103.102.220[.]50:443 - POST /rob13/[string with host and infection info]/81/
  • 36.95.27[.]243 port 443 - 36.95.27[.]243:443 - POST /rob13/[string with host and infection info]/81/
  • 103.102.220[.]50 port 443 - 103.102.220[.]50:443 - POST /rob13/[string with host and infection info]/83/
  • 36.95.27[.]243 port 443 - 36.95.27[.]243:443 - POST /rob13/[string with host and infection info]/90

TRAFFIC CAUSED BY TRICKBOT'S PROPAGATION MODULES TO RETRIEVE ADDITIONAL TRICKBOT BINARIES (RETURNED EXE FILES):

  • 195.123.208[.]170 port 80 - 195.123.208[.]170 - GET /images/control.png
  • 195.123.208[.]170 port 80 - 195.123.208[.]170 - GET /images/scroll.png

ATTEMPTED TCP CONNECTIONS CAUSED BY THE INFECTED WINDOWS HOST:

  • 45.14.226[.]115 port 443
  • 169.239.45[.]42 port 449
  • 92.242.214[.]203 port 449
  • 94.158.245[.]54 port 443
  • 38.132.99[.]174 port 80

Final words

A pcap of the infection traffic and the associated malware can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

 Brad

394 Posts
ISC Handler
Feb 17th 2021
Reply Subscribe Feb 17th 2021
1 week ago

Sign Up for Free or Log In to start participating in the conversation!