Introduction

Ive been corresponding with @dvk01uk about malicious spam (malspam) pushing the Trickbot banking Trojan. Trickbot was first reported in the fall of 2016, and its been described as a successor to Dyreza (also known as Dyre). In-depth analysis on recent versions of Trickbot have been published by the S2 Group and the Malwarebytes Blog, but @dvk01uk continues to find examples targeting the United Kingdom (UK) on a near-daily basis. These examples have been documented at My Online Security.

Recent waves of malspam pushing Trickbot are concerning, because domains used to send these emails are extremely plausible imitations of financial institutions or government sites. An average person can easily believe these sites are legitimate, when in fact they are not. Examples of fake sites from the past few weeks include:

  • hsbcdocs.co.uk
  • hmrccommunication.co.uk
  • lloydsbacs.co.uk
  • nationwidesecure.co.uk
  • natwestdocuments6.ml
  • santanderdocs.co.uk
  • santandersecuremessage.com
  • securenatwest.co.uk

Almost all of these domains were registered through GoDaddy using various names or privacy services. And these domains were implemented on servers using full email authentication and HTTPS. Many recipients could easily be tricked into opening the associated attachments.

Malspam pushing Trickbot ultimately uses malicious macros in Microsoft Office documents (like Word documents or Excel spreadsheets) to download and install the malware. Within the past week, this malspam has been using HTML attachments. border-width:2px” />
Shown above: Chain of events for an infection from this malspam.

HTML attachments to download Office documents, eh? Its not a new trick. But using this method, poorly-managed Windows hosts (or Windows computers using a default configuration) are susceptible to infection.

Todays diary investigates an example of this malspam from Monday 2017-08-14, originally documented here.

Email, HTML attachment, and Word document

I wasnt able to get a copy of the malspam. I only got the date, sending address, subject line, and the attachments text. But that was enough to get an idea of the email and generate some infection traffic.

The malspam is disguised as a message from Santander Bank (US headquarters in Boston, Massachusetts, with locations in the UK, Brazil, and various other countries). border-width:2px” />
Shown above: border-width:2px” />
Shown above: border-width:2px” />
Shown above: border-width:2px” />
Shown above: Enable macros on the Word document to get infected.

Network traffic

With the Word document downloaded using HTTPS, we only see encrypted traffic to santanderdocs.co.uk. We then see an HTTP request to centromiosalud.es for a PNG image, but it actually returned a Windows executable. After that, we find IP address checks to various IP location services, along with encrypted traffic typical for Trickbot. The infected host occasionally downloaded malware again from centromiosalud.es using the same URL. border-width:2px” />
Shown above: border-width:2px” />
Shown above: border-width:2px” />
Shown above: border-width:2px” />
Shown above: SYN packets show the infected host contacting 2 IP addresses that didnt respond.

Forensics on the infected host

The infected Windows host had artifacts in the users AppDataLocalTemp and AppDataRoaming directories. The infected host also utilized a batch file to download malware from centromiosalud.es or cfigueras.com. A scheduled task was implemented to keep the malware persistent. The persistent malware was located in a folder named winapp under the users AppDataRoaming directory. border-width:2px” />
Shown above: Artifacts in the user border-width:2px” />
Shown above: border-width:2px” />
Shown above: Malware in the user border-width:2px” />
Shown above: border-width:2px” />
Shown above: Scheduled task used to keep the malware persistent.

Indicators of compromise (IOCs)

This section contains IOCs associated with the 2017-08-14 Trickbot infection.

HTTPS request for the malicious Word document:

  • 160.153.162.141 port 443 – santanderdocs.co.uk – GET /SecureDoc.doc

Follow-up HTTP request for a Windows executable:

  • 178.255.225.215 port 80 – centromiosalud.es – GET /armanistand.png
  • 51.254.83.17 port 80 – cfigueras.com – GET /armanistand.png

IP address check by the infected host (not inherently malicious):

  • ipinfo.io – GET /ip
  • ipecho.net – GET /plain
  • icanhazip.com – GET /

Trickbot post-infection SSL/TLS traffic:

  • 185.40.20.46 port 443
  • 185.40.20.48 port 443
  • 185.141.26.86 port 443
  • 185.208.170.129 port 443
  • 210.16.102.142 port 447

Servers contacted by the infected Windows host that didnt respond:

  • 162.248.75.99 port 447
  • 194.87.103.27 port 447

Other hosts from the past 2 to 3 weeks that have sent Trickbot malspam:

  • hsbcdocs.co.uk
  • hmrccommunication.co.uk
  • lloydsbacs.co.uk
  • nationwidesecure.co.uk
  • natwestdocuments6.ml
  • santandersecuremessage.com
  • securenatwest.co.uk

Associated files:

SHA256 hash: fec0812faf0e20a55bb936681e4cca7aeb3442b425b738375a8ee192e02fe602

  • File name: SecureDoc.doc
  • File description: Word document with malicious macros

SHA256 hash: 5f8dfebcee9d88576ebdc311d9ca1656d760b816eea4a74232895b547a88b5fb

  • File location: C:Users[username]AppDataLocalTempCqgcf.exe
  • File description: Executable downloaded after enabling Word macros

SHA256 hash: dd519253f01d706573215f115528c59c606107a235f6052533226d0444731688

  • File location: C:Users[username]AppDataRoamingwinappBpfbe.exe
  • File description: Initial Trickbot binary

SHA256 hash: c2f73e08d9f1429833ffb81325c3f77655f1680f0b466889a27b623e00288402

  • File location: C:Users[username]AppDataRoamingwinappBpfbe.exe
  • File description: Updated Trickbot binary

Final words

As always, properly-managed Windows hosts following best security practices are unlikely to get infected by this malware. Unfortunately, many organizations and home users dont follow best practices. As long as criminals can abuse domain registrars and hosting providers, this type of malspam will occasionally manage to slip past spam filters and find vulnerable victims. You don border-width:2px” />
Shown above: every administrator and his dog can easily prevent the execution of such documents and save these people from damage.

I agree. I just wish more people would follow that well-known advice.

Pcap and malware samples for this diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.