I've consistently noted malicious spam (malspam) distributing Trickbot malware 2 or 3 days every week. My Online Security frequently documents this malspam, and it has occurred on at least five occasions this month from 2018-05-01 through 2018-05-11.
Last week, this Trickbot malspam tried some new tricks. On Wednesday 2018-05-09, Xavier Mertens posted a diary about this campaign using a fake notice for a Adobe PDF web-plugin update to push Trickbot. But by Friday 2018-05-11, this malspam was back to using an RTF attachment that exploits CVE-2017-11882. This is the Microsoft Equation Editor vulnerability. Malspam from this campaign has been routinely using these type of RTF attachments since early April 2018.
Today's diary reviews an RTF attachment using an exploit for CVE-2017-11882 to push Trickbot on Friday, 2018-05-11.
Email headers from this malspam campaign follow consistent patterns. These emails have a DKIM signature, and the envelope is spoofed as being from noreply-[recipient's email address]@[whatever domain is being used& that day]. An example of the email headers from Friday 2018-05-11 follow. I've replaced the recipient's email address with firstname.lastname@example.org.
The RTF attachment
Opening the RTF attachment triggers an exploit for CVE-2017-11882. Vulnerable Windows hosts would then be infected with Trickbot malware. This vulnerability was patched by Microsoft last year on 2017-11-14. People running Windows 10 should already have this patch automatically applied. Additionally, previous versions of Windows like Windows 7 should have been patched as part of the monthly security update process.
Network traffic from an infected Windows host follows similar patterns as recent Trickbot infections I documented earlier this month on 2018-05-01 and 2018-05-03. We first see an HTTP GET request for the Trickbot malware binary followed by an IP address check. This is followed by SSL/TLS traffic over ports 447 and/or 449. Other HTTP GET requests for table.png and toler.png deliver follow-up malware.
The infected Windows host acted the same as previous Trickbot infections. Unlike many malware families that use the Windows registry to stay persistent, Trickbot infections are kept persistent through a scheduled task. Trickbot is a modular malware, and it contains various components under the directory tree where the Trickbot binary is stored. These components are encoded or otherwise encrypted when saved to disk. On a 64-bit Windows host, these file names end with Dll64.
The following are indicators seen from the Trickbot infection on Friday, 2018-05-11.
Date and time the infection traffic began: Friday 2018-05-11 at 12:34 UTC.
IP addresses, domains and URLs from the infection traffic:
Attachment from the malspam:
Malware retrieved from an infected Windows host:
As always, properly-administered Windows hosts are not likely to get infected. As I mentioned earlier, the vulnerability used by this malspam attachment was patched in November 2017. Furthermore, system administrators and the technically inclined can also implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.
Pcap and malware samples for today's diary can be found here.
May 14th 2018
7 months ago