An Italian malspam campaign has been identified with the objective of delivering TrickBot malware via an Excel attachment. The malware has been traced back to the sat1 botnet.
TrickBot is a banking trojan developed to steal login credentials for victims’ banking sites through the use of webinjects.
Since June 2018, TrickBot has been upgraded with new features that allow for lateral movement, enabling it to propagate from an infected client to a vulnerable domain controller. In some instances, TrickBot has been utilized as a vector to launch Ransomware attacks.
Compromise occurs through the execution of an Excel file containing a malicious macro. The file is ostensibly signed with DocuSign software and prompts the victim to enable macros to “decrypt” the document.
The Excel file is actually a dropper. Its task is to download and execute the TrickBot malware as a DLL via regsvr32. It then retrieves the public IP address of the infected machine using the legitimate lookup service ident.me and proceeds to steal credentials, such as those stored in installed web browsers.
Indicator of Compromise
TrickBot
- Md5: fefcd3be7442dab1e25ed12903406a40
- Sha1: ec6d52468af5b590a1a2a9d041b894d9a144c99c
- Sha256: 930c7ac2d2e3dcd05a616c9bcd078c6c153e78c3506cef585b61442b1ab3b9ef
IP Server C2
- 185.180.99.125
- 180.178.106.50
- 95.217.228.176
- 27.110.228.186
- 123.231.149.122
- 115.127.160.171
- 181.196.16.58
- 45.5.152.39
