TrickBot spread by Necurs botnet, adds Nordic countries to its targets
At around 09:00 BST yesterday, Forcepoint Security Labs™ observed a significant malicious email campaign from the Necurs botnet. Necurs is a prevalent botnet that is known to spreading Locky ransomware, pump-and-dump stock scams, and more recently the Jaff ransomware. This time Necurs has been seen spreading the Trickbot banking Trojan, complete with an updated set of targets.
The malicious email campaign ended at around 18:00 yesterday and nearly 9.6M related emails were captured and stopped by our system. The following is a sample screenshot of a related email:
In addition, below are details of this campaign:
| Subject | Attachment | Activity Period (BST) |
|---|---|---|
| {two digits}_Invoice_{four digits} | {three digits}_{four digits}.pdf | 09:00 - 15:00 |
| {eight digits}.pdf | {eight digits}.pdf | 11:00 - 13:00 |
| {blank subject} | SCAN_{four digits}.doc | 13:00 - 18:00 |
For the first two email subjects above, the infection chain is identical to what we have documented for Jaff - an attached PDF file contains a document file with a macro downloader which in turn downloads the Trickbot trojan.
Emails with blank subject, on the other hand, contained a document file with a macro downloader instead of a PDF.
Trickbot continues to expand its targets
Trickbot is a relatively new malware family that is believed to be a successor of the infamous Dyre family. It surfaced in in the wild in September last year, initially targeting banks in Australia and the UK. It has since continually expanded its target countries and banks.
The new campaign from yesterday contained the group tag “mac1”. It downloaded configuration files that contained an updated list of targeted financial institutions. From 51 targeted URLs listed in the “dinj” configuration file just last April, the configuration file now holds 130 targeted URLs. Among these updates are 16 targeted French banks which were prepended to the configuration file. Below is a screenshot of the decrypted configuration file showing this update:
Furthermore, the configuration file now also lists a number of PayPal URLs:
Another configuration file (“sinj”) has similarly been expanded: where it previously listed 109 targeted URLs, the updated one lists 333 URLs. This configuration now includes websites of thirty-four financial institutions in Sweden, Norway, Finland and Denmark.
Protection statement
Forcepoint™ customers are protected against this threat via Forcepoint Cloud Security, which includes the Advanced Classification Engine (ACE) as part of e-mail, web and NGFW security products. ACE (also known as Triton ACE) provides signature-less analytics to identify malicious intent, including evasion techniques to mask the malware.
Protection is in place at the following stages of attack:
Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
Stage 5 (Dropper File) - Trickbot variants are prevented from being downloaded.
Stage 6 (Call Home) - Attempts by Trickbot to contact its C&C server are blocked.
Conclusion
Trickbot's use of the Necurs botnet to spread itself combined with the expansion of its targeted countries and financial institutions is a clear attempt to escalate its global operations. Malicious email campaigns such as these rely on the weakness of the human point of interaction with systems, with the final payload in this case likely having severe ramifications for those who fall prey to it.
We anticipate that Trickbot will only continue to expand its targets and Forcepoint Security Labs™ will continue to monitor developments to this threat.
Additional analysis provided by Ran Mosessco.
Indicators of Compromise
Download locations
hxxp://mybutterhalf[.]com/7gyb3ds hxxp://manish-choudhary[.]com/7gyb3ds hxxp://choralia[.]net/7gyb3ds hxxp://chqm168[.]com/7gyb3ds hxxp://shopf3[.]com/7gyb3ds hxxp://beursgays[.]com/7gyb3ds hxxp://shreekamothe[.]com/7gyb3ds hxxp://micolon[.]de/7gyb3ds hxxp://mytraveltrip[.]in/7gyb3ds hxxp://xinding[.]com/7gyb3ds hxxp://musee-champollion[.]fr/7gyb3ds hxxp://svagin[.]dk/7gyb3ds hxxp://spocom[.]de/7gyb3ds hxxp://muldefischer[.]de/7gyb3ds
Trickbot C2
185.6.127[.]134 149.202.30[.]126 212.24.110[.]76
Trickbot SHA-256 Hash
79d96a62622e4efb01fda23cf81b759e0059ad3cd3083acff7fb4174b0b3d40c