Threat Research

Quick Analysis of New Method for Spreading TrickBot

By Xiaopeng Zhang | April 29, 2019

Breaking Threat Research from FortiGuard Labs

 

On Friday, April 26, 2019, FortiGuard Labs captured a suspicious email. After a quick analysis, I discovered that it was spreading the malware TrickBot. This piece of malware is a kind of component loader, which can download other malicious components and execute them in TrickBot.

The email content is shown in Figure 1.

Figure 1. Suspicious email content

The email includes a hyperlink that points to the URL “https://www.*****.com/invoice-manager/” (I used “*” in the URL to protect the website).

I manually opened the URL in a browser, which then downloaded a Zip archive. Upon inspection I could see that there was only one VBS file in the Zip archive. You can see more information in Figure 2. I then searched the URL on Google and I found that this should be a normal website about traveling that seems to have possibly been compromised by an attacker to provide their malware download service. As a responsible cybersecurity company, we immediately notified the website owners of the details of this campaign.

Figure 2. The downloaded Zip archive and partial content of the VBS file    

Once the victim runs the “21--25.vbs” it downloads an executable file from the URL “https://waldema******.de/geirbyholle.exe” (I again obscured letters in the URL), renames it as “a.exe”, and executes it. This URL being used as a downloader points to a normal shopping website, which seems to have likely been compromised as well. As before, we notified this website owner of its compromise.

“a.exe” is a TrickBot sample that is installed in “Task Scheduler” on the victim’s system. The “a.exe” is then relocated into its home folder, named “gpuDriver” under the user folder of “%AppData%”. It’s the same action as documented in previous versions.

Figure 3 and 4 below show TrickBot in “Task Scheduler” and a snapshot of its home folder.

Figure 3. TrickBot installed in “Task Scheduler”

Figure 4. Snapshot of TrickBot home folder

Over the past few years we have written a number technique blogs for this malware. You can search for them on our website for more details.

Like previous versions, this one uses a similar process for submitting information to its C&C server, which is the packet of command 90, as you can see in Figure 5.

Figure 5. Snapshot of command 90

I’m currently conducting more research on this new variant of TrickBot and its downloaded components. If anything new is used in this campaign, I’ll provide an update in another blog.

Solutions

The first VBS Zip download URL is rated as spam, and the download URL for “a.exe” is rated as Malicious Websites by the FortiGuard Web Filtering service. The downloaded “a.exe” is detected as “W32/Kryptik.GSNL!tr” by the FortiGuard Antivirus service.

Sample SHA256

[a.exe]
3851DEB85302B7E0DDF8241A3B9AC4EF0CF6887E2CE4AF9E4FAC6FBA5429613A
[21--25.zip]
EDAA3BDB75FF00AC4064E20E6C211A77A1404E27FF7E9954667D7C00EDEB2856
[21--25.vbs]
7A431625E6EC7799CE3B1F0F95B80F0646F7D3A92B2BD5436B15548A83FCE963