I've been corresponding with @dvk01uk about malicious spam (malspam) pushing the Trickbot banking Trojan. Trickbot was first reported in the fall of 2016, and it's been described as a successor to Dyreza (also known as Dyre). In-depth analysis on recent versions of Trickbot have been published by the S2 Group and the Malwarebytes Blog, but @dvk01uk continues to find examples targeting the United Kingdom (UK) on a near-daily basis. These examples have been documented at My Online Security.
Recent waves of malspam pushing Trickbot are concerning, because domains used to send these emails are extremely plausible imitations of financial institutions or government sites. An average person can easily believe these sites are legitimate, when in fact they are not. Examples of fake sites from the past few weeks include:
Almost all of these domains were registered through GoDaddy using various names or privacy services. And these domains were implemented on servers using full email authentication and HTTPS. Many recipients could easily be tricked into opening the associated attachments.
Malspam pushing Trickbot ultimately uses malicious macros in Microsoft Office documents (like Word documents or Excel spreadsheets) to download and install the malware. Within the past week, this malspam has been using HTML attachments. These HTML files are designed to download Office documents using HTTPS in an effort to evade detection through encrypted network traffic.
HTML attachments to download Office documents, eh? It's not a new trick. But using this method, poorly-managed Windows hosts (or Windows computers using a default configuration) are susceptible to infection.
Today's diary investigates an example of this malspam from Monday 2017-08-14, originally documented here.
Email, HTML attachment, and Word document
I wasn't able to get a copy of the malspam. I only got the date, sending address, subject line, and the attachment's text. But that was enough to get an idea of the email and generate some infection traffic.
The malspam is disguised as a message from Santander Bank (US headquarters in Boston, Massachusetts, with locations in the UK, Brazil, and various other countries). The HTML attachment is designed to download a Word document if you double-click on it from a Windows host.
Why would someone enable macros on this Word document? Because they cannot use the login form on the page. Instructions show how to enable macros if you cannot login through the Word document. It's silly, I know, but a technique like this could be trusted by an unsuspecting recipient.
With the Word document downloaded using HTTPS, we only see encrypted traffic to santanderdocs.co.uk. We then see an HTTP request to centromiosalud.es for a PNG image, but it actually returned a Windows executable. After that, we find IP address checks to various IP location services, along with encrypted traffic typical for Trickbot. The infected host occasionally downloaded malware again from centromiosalud.es using the same URL. I found at least two different versions of Trickbot on my infected Windows host.
Forensics on the infected host
The infected Windows host had artifacts in the user's AppData\Local\Temp and AppData\Roaming directories. The infected host also utilized a batch file to download malware from centromiosalud.es or cfigueras.com. A scheduled task was implemented to keep the malware persistent. The persistent malware was located in a folder named winapp under the user's AppData\Roaming directory. I left the infected host running for about two hours and saw the executable updated in the winapp folder at least twice.
Indicators of compromise (IOCs)
This section contains IOCs associated with the 2017-08-14 Trickbot infection.
HTTPS request for the malicious Word document:
Follow-up HTTP request for a Windows executable:
IP address check by the infected host (not inherently malicious):
Trickbot post-infection SSL/TLS traffic:
Servers contacted by the infected Windows host that didn't respond:
Other hosts from the past 2 to 3 weeks that have sent Trickbot malspam:
As always, properly-managed Windows hosts following best security practices are unlikely to get infected by this malware. Unfortunately, many organizations and home users don't follow best practices. As long as criminals can abuse domain registrars and hosting providers, this type of malspam will occasionally manage to slip past spam filters and find vulnerable victims. You don't have to be a grandparent on your home computer to get infected.
Last week on my previous diary, someone left a comment that included the following:
ALL editions of Windows support Software Restriction Policies; every administrator and his dog can easily prevent the execution of such "documents" and save these people from damage.
I agree. I just wish more people would follow that well-known advice.
Pcap and malware samples for this diary can be found here.
Aug 15th 2017
3 months ago