Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Day in the life of a researcher: Finding a wave of Trickbot malspam - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Day in the life of a researcher: Finding a wave of Trickbot malspam

Introduction

Mass-distribution campaigns pushing commonly-seen malware are not often considered newsworthy.  But these campaigns occur on a near-daily basis, and I feel they should be documented as frequently as possible.  Frequent documentation ensures we have publicly-available records that reveal how these campaigns evolve.  Minor changes add up over time.

Today's diary illustrates a small part of my workday, as I review information and track down a campaign using malicious spam (malspam) to distribute Trickbot malware.

Reporting methods

A growing number of people are using social media tools like Twitter to share information about malware and malicious network activity.  Twitter offers a near-real-time way to push information to a large amount of people.  Security professionals and enthusiasts can easily find, share, and act on this information.

Keep in mind this sort of public sharing should never include sensitive data.  You should never reveal your organization's internal network or divulge any classified or confidential documents.  Criminals are likely monitoring public-facing services like VirusTotal and other malware scanning sites, because they "are becoming containers for personal, business and even classified information..."

Some security professionals use private communication methods with a restricted audience, but those methods don't often apply to the vast majority of people working in information security.  When possible, I prefer to share malware information publicly.

Gathering information

Like many researchers, I use a combination of public and non-public resources when investigating malware.  One great public resource is URLhaus.  URLhaus is a project operated by abuse.ch that helps security researchers, vendors and law enforcement agencies make the Internet a safer place.

On Tuesday 2018-11-13, I was browsing through URLhaus and found two URLs tagged as Trickbot.  I've researched a great deal of Trickbot activity, so I knew these URLs could be traced to malspam with an attached Microsoft Office document using macros to download and install Trickbot.


Shown above:  Two URLs tagged as Trickbot according to URLhaus.

I checked my employer's tools, where I found at least 20 examples of malspam using attached Word documents with macros to generate these URLs.  The malspam was very recent, and no samples of the attached Word documents had yet been submitted to VirusTotal.  I could find information and file hashes from my employer's tools, but I could not acquire a Word doc to generate any infection traffic.

However, those two URLs from the URLhaus list were still active, so I used one to retrieve a Trickbot binary.  I then used that binary to infect a Windows host in my lab which generated the expected infection traffic.  Post-infection activity revealed the campaign ID as sat101.  These campaign IDs are tagged as <gtag> in configuration files on infected Windows hosts, and they can be used to determine distribution characteristics of the campaign.  For example, Trickbot using campaign IDs starting with "sat" are used in malspam targeting recipients in the United States.


Shown above:  Tuesday's Trickbot infection traffic filtered in Wireshark.

Quick reporting

With enough information to describe Tuesday's Trickbot campaign in the US, I wanted to quickly report it.  But compiling a blog post would take at least two hours.  Twitter was my speediest alternative.  I dumped the data to a Pastebin page, created some images, and tweeted the results.


Shown above:  The tweet I sent.

Final words

This diary shows a small part of my workday, and it reveals how I found a recent wave of Trickbot malspam.  As of 20:24 UTC on Tuesday 2018-11-13, none of the associated Word documents were available on VirusTotal.  But a sample of the Trickbot binary had been submitted to hybrid-analysis.com.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Brad

322 Posts
ISC Handler
Really enjoyed the article. Your statement "I checked my employer's tools, where I found at least 20 examples of malspam using attached Word documents with macros to generate these URLs" intrigued me. If possible, would you expan on, at least in generalities, what tools you use? I understand you might not be able to be specific, so maybe just some categories, or maybe tools you personally find helpful?

Regards
Anonymous
Thanks for the comments! Always appreciate the kind words.

Quoting Anonymous:If possible, would you expand on, at least in generalities, what tools you use?


I can't really go into my employer's tools, but I can talk about some of the publicly-available tools I use.

- VirusTotal Intelligence: A service paid for by my employer, allows people to retrieve malware and malspam samples submitted to VirusTotal. Cost-prohibitive if you want to pay for it on your own.
- Reverse.it / Hybrid-analysis.com: A malware analysis sandbox. Requires valid email to register for a free version. A way to share malware samples with the community.
- Any.run: Another malware analysis sandbox. Requires valid email to register for a free version. Tends to work better than Reverse.it / Hybrid-analysis.com for post-infection traffic. Free version very limited, though. Another way to share malware samples with the community.
- community.riskiq.com: RiskIQ community edition. Can get passive DNS info and other interesting data when searching IP addresses and domain names.

Hope this helps.
Brad

322 Posts
ISC Handler
Yes it does. Thanks for the response. I understand not being able to discuss your employers tools, we are in the same boat. But wouldn't it be nice if we could?

Thanks again.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!