Introduction I've consistently noted malicious spam (malspam) distributing Trickbot malware 2 or 3 days every week. My Online Security frequently documents this malspam, and it has occurred on at least five occasions this month from 2018-05-01 through 2018-05-11. Last week, this Trickbot malspam tried some new tricks. On Wednesday 2018-05-09, Xavier Mertens posted a diary about this campaign using a fake notice for a Adobe PDF web-plugin update to push Trickbot. But by Friday 2018-05-11, this malspam was back to using an RTF attachment that exploits CVE-2017-11882. This is the Microsoft Equation Editor vulnerability. Malspam from this campaign has been routinely using these type of RTF attachments since early April 2018. Today's diary reviews an RTF attachment using an exploit for CVE-2017-11882 to push Trickbot on Friday, 2018-05-11.
The email Email headers from this malspam campaign follow consistent patterns. These emails have a DKIM signature, and the envelope is spoofed as being from noreply-[recipient's email address]@[whatever domain is being used& that day]. An example of the email headers from Friday 2018-05-11 follow. I've replaced the recipient's email address with bob123@whereever.com. Received: from [79.142.64.227] ([79.142.64.227:39244] helo=hmrc-email-gov.uk) by [removed];
(envelope-from <noreply-bob123=whereever.com@hmrc-email-gov.uk>) [removed]; Fri, 11 May 2018 11:23:02 -0000 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=hmrc-email-gov.uk; h=Mime-Version:Date:To:Subject:From:Content-Type:Message-ID; bh=pXEjZNFF+nNw2PPQpsYXr5oWSmA=; b=FL6DqNISXS60W7USA4vCzy4z7Ya/Ikw5uR3y9lbsJ+Mgi4oawDyvFH55IH4lbRrPQNyhnmgvrAwd t5YpMPB3JCl9Mke0Izf8ltDQLBSAt2vV3qP8oC/WKI4fzuFEEB9diL4IHDDbYYUb32N4SjPaKro8 J6bRiNjZ9CVUa1vgFqE= Received: by hmrc-email-gov.uk id huluj5octe0l for <bob123@whereever.com>; Fri, 11 May 2018 07:06:36 -0400 (envelope-from <noreply-bob123=whereever.com@hmrc-email-gov.uk>) Mime-Version: 1.0 Date: Fri, 11 May 2018 07:06:36 -0400 To: bob123@whereever.com Subject: Accelerated payment notice From: "HM Revenue & Customs" <noreply@hmrc-email-gov.uk> Content-Type: multipart/mixed; boundary=60306fda09ad4cde1f75f5c97bc15a42 Message-ID: <0.0.2.0.1D3E918211D293A.2143242@hmrc-email-gov.uk>
The RTF attachment Opening the RTF attachment triggers an exploit for CVE-2017-11882. Vulnerable Windows hosts would then be infected with Trickbot malware. This vulnerability was patched by Microsoft last year on 2017-11-14. People running Windows 10 should already have this patch automatically applied. Additionally, previous versions of Windows like Windows 7 should have been patched as part of the monthly security update process.
Infection traffic Network traffic from an infected Windows host follows similar patterns as recent Trickbot infections I documented earlier this month on 2018-05-01 and 2018-05-03. We first see an HTTP GET request for the Trickbot malware binary followed by an IP address check. This is followed by SSL/TLS traffic over ports 447 and/or 449. Other HTTP GET requests for table.png and toler.png deliver follow-up malware.
Post-infection forensics The infected Windows host acted the same as previous Trickbot infections. Unlike many malware families that use the Windows registry to stay persistent, Trickbot infections are kept persistent through a scheduled task. Trickbot is a modular malware, and it contains various components under the directory tree where the Trickbot binary is stored. These components are encoded or otherwise encrypted when saved to disk. On a 64-bit Windows host, these file names end with Dll64.
Indicators The following are indicators seen from the Trickbot infection on Friday, 2018-05-11. Date and time the infection traffic began: Friday 2018-05-11 at 12:34 UTC. IP addresses, domains and URLs from the infection traffic:
Attachment from the malspam: SHA256 hash: 64a73552356e540436bf362e68118615f3bea4e3bdb987e2bbd5b51570aa1f6f
Malware retrieved from an infected Windows host: SHA256 hash: 609cc34749da7ce6e8dbb3de9b7d0be03eca4cea63a4f3b1c383a3d483d0ecd6
SHA256 hash: 8bf06a4c2ef57383efdc8fe9b9860c8ede70c63f158b1f58ea9f1fb564710f50
Final words As always, properly-administered Windows hosts are not likely to get infected. As I mentioned earlier, the vulnerability used by this malspam attachment was patched in November 2017. Furthermore, system administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections. Pcap and malware samples for today's diary can be found here. --- |
Brad 435 Posts ISC Handler May 14th 2018 |
Thread locked Subscribe |
May 14th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!