Malspam pushing Trickbot malware on Friday 2018-05-11

Malspam pushing Trickbot malware on Friday 2018-05-11
Introduction I've consistently noted malicious spam (malspam) distributing Trickbot malware 2 or 3 days every week. My Online Security frequently documents this malspam, and it has occurred on at least five occasions this month from 2018-05-01 through 2018-05-11. Last week, this Trickbot malspam tried some new tricks. On Wednesday 2018-05-09, Xavier Mertens posted a diary about this campaign using a fake notice for a Adobe PDF web-plugin update to push Trickbot. But by Friday 2018-05-11, this malspam was back to using an RTF attachment that exploits CVE-2017-11882. This is the Microsoft Equation Editor vulnerability. Malspam from this campaign has been routinely using these type of RTF attachments since early April 2018. Today's diary reviews an RTF attachment using an exploit for CVE-2017-11882 to push Trickbot on Friday, 2018-05-11. Shown above: Chain of events for a Trickbot infection from Friday. *The email* Email headers from this malspam campaign follow consistent patterns. These emails have a DKIM signature, and the envelope is spoofed as being from noreply-[recipient's email address]@[whatever domain is being used& that day]. An example of the email headers from Friday 2018-05-11 follow. I've replaced the recipient's email address with bob123@whereever.com. Received: from [79.142.64.227] ([79.142.64.227:39244] helo=hmrc-email-gov.uk) by [removed]; (envelope-from <noreply-bob123=whereever.com@hmrc-email-gov.uk>) [removed]; Fri, 11 May 2018 11:23:02 -0000 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=hmrc-email-gov.uk; h=Mime-Version:Date:To:Subject:From:Content-Type:Message-ID; bh=pXEjZNFF+nNw2PPQpsYXr5oWSmA=; b=FL6DqNISXS60W7USA4vCzy4z7Ya/Ikw5uR3y9lbsJ+Mgi4oawDyvFH55IH4lbRrPQNyhnmgvrAwd t5YpMPB3JCl9Mke0Izf8ltDQLBSAt2vV3qP8oC/WKI4fzuFEEB9diL4IHDDbYYUb32N4SjPaKro8 J6bRiNjZ9CVUa1vgFqE= Received: by hmrc-email-gov.uk id huluj5octe0l for <bob123@whereever.com>; Fri, 11 May 2018 07:06:36 -0400 (envelope-from <noreply-bob123=whereever.com@hmrc-email-gov.uk>) Mime-Version: 1.0 Date: Fri, 11 May 2018 07:06:36 -0400 To: bob123@whereever.com Subject: Accelerated payment notice From: "HM Revenue & Customs" <noreply@hmrc-email-gov.uk> Content-Type: multipart/mixed; boundary=60306fda09ad4cde1f75f5c97bc15a42 Message-ID: <0.0.2.0.1D3E918211D293A.2143242@hmrc-email-gov.uk> Shown above: Screenshot from an email example. The RTF attachment Opening the RTF attachment triggers an exploit for CVE-2017-11882. Vulnerable Windows hosts would then be infected with Trickbot malware. This vulnerability was patched by Microsoft last year on 2017-11-14. People running Windows 10 should already have this patch automatically applied. Additionally, previous versions of Windows like Windows 7 should have been patched as part of the monthly security update process. Shown above: The RTF attachment opened on a vulnerable Windows host. Infection traffic Network traffic from an infected Windows host follows similar patterns as recent Trickbot infections I documented earlier this month on 2018-05-01 and 2018-05-03. We first see an HTTP GET request for the Trickbot malware binary followed by an IP address check. This is followed by SSL/TLS traffic over ports 447 and/or 449. Other HTTP GET requests for *table.png* and *toler.png* deliver follow-up malware. Shown above: Traffic from an infection filtered in Wireshark. Post-infection forensics The infected Windows host acted the same as previous Trickbot infections. Unlike many malware families that use the Windows registry to stay persistent, Trickbot infections are kept persistent through a scheduled task. Trickbot is a modular malware, and it contains various components under the directory tree where the Trickbot binary is stored. These components are encoded or otherwise encrypted when saved to disk. On a 64-bit Windows host, these file names end with Dll64. Shown above: Directory where Trickbot was made persistent as paulacsaig.exe. Shown above: Components noted in this Trickbot infection. Indicators The following are indicators seen from the Trickbot infection on Friday, 2018-05-11. Date and time the infection traffic began: Friday 2018-05-11 at 12:34 UTC. IP addresses, domains and URLs from the infection traffic: 194.116.187.130 port 80 - basedow-bilder.de - GET /gando.bin port 80 - ipecho.net - GET /plain 191.6.18.166 port 449 - SSL/TLS traffic caused by Trickbot 92.53.67.190 port 447 - SSL/TLS traffic caused by Trickbot 185.159.130.139 port 80 - 185.159.130.139 - GET /table.png 185.159.130.139 port 80 - 185.159.130.139 - GET /toler.png Attachment from the malspam: SHA256 hash: 64a73552356e540436bf362e68118615f3bea4e3bdb987e2bbd5b51570aa1f6f File size: 48,657 bytes File name: PaymentNotice.doc File description: RTF attachment disguised as Microsoft Word document Malware retrieved from an infected Windows host: SHA256 hash: 609cc34749da7ce6e8dbb3de9b7d0be03eca4cea63a4f3b1c383a3d483d0ecd6 File size: 348,160 bytes Location: C:\Users\[username]\AppData\Roaming\wsxmail\ File name: paulacsaig.exe File description: Trickbot malware binary SHA256 hash: 8bf06a4c2ef57383efdc8fe9b9860c8ede70c63f158b1f58ea9f1fb564710f50 File size: 360,448 bytes Location: C:\Users\[username]\AppData\Roaming\wsxmail\ File name: t6kt7xvto6zp9fs33ac4mgtohcwrnveo4dgzkyx9f3atga2ukjxruzfldc1brcn3.exe File description: Other malware related to the Trickbot infection Final words As always, properly-administered Windows hosts are not likely to get infected. As I mentioned earlier, the vulnerability used by this malspam attachment was patched in November 2017. Furthermore, system administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections. Pcap and malware samples for today's diary can be found here. --- Brad Duncan brad [at] malware-traffic-analysis.net	Brad 377 Posts ISC Handler May 14th 2018
Subscribe	May 14th 2018 2 years ago