{"id":2628,"date":"2021-06-14T11:24:54","date_gmt":"2021-06-14T09:24:54","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2628"},"modified":"2026-03-30T11:03:47","modified_gmt":"2026-03-30T11:03:47","slug":"malware-trickbot-giugno-2021","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/uncategorized-it\/malware-trickbot-giugno-2021\/","title":{"rendered":"Malware TrickBot &#8211; June 2021"},"content":{"rendered":"\n<p>An Italian <strong>malspam<\/strong> campaign has been identified with the objective of delivering <strong>TrickBot<\/strong> malware via an Excel attachment. The malware has been traced back to the <strong>sat1<\/strong> botnet.<\/p>\n\n\n\n<p>TrickBot is a banking trojan developed to steal login credentials for victims&#8217; banking sites through the use of <em>webinjects<\/em>.<\/p>\n\n\n\n<p>Since June 2018, TrickBot has been upgraded with new features that allow for lateral movement, enabling it to propagate from an infected client to a vulnerable domain controller. In some instances, TrickBot has been utilized as a vector to launch Ransomware attacks.<\/p>\n\n\n\n<p>Compromise occurs through the execution of an Excel file containing a malicious macro. The file is ostensibly signed with <strong>DocuSign<\/strong> software and prompts the victim to enable macros to &#8220;decrypt&#8221; the document.<\/p>\n\n\n\n<p>The Excel file is actually a <strong>dropper<\/strong>. Its task is to download and execute the <strong>TrickBot<\/strong> malware as a DLL via <em>regsvr32<\/em>. It then retrieves the public IP address of the infected machine using the legitimate lookup service <strong>ident.me<\/strong> and proceeds to steal credentials, such as those stored in installed web browsers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicator of Compromise<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">TrickBot<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Md5:<\/strong> fefcd3be7442dab1e25ed12903406a40<\/li>\n\n\n\n<li><strong>Sha1:<\/strong> ec6d52468af5b590a1a2a9d041b894d9a144c99c<\/li>\n\n\n\n<li><strong>Sha256: <\/strong>930c7ac2d2e3dcd05a616c9bcd078c6c153e78c3506cef585b61442b1ab3b9ef<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IP Server C2<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>185.180.99.125<\/li>\n\n\n\n<li>180.178.106.50  <\/li>\n\n\n\n<li>95.217.228.176  <\/li>\n\n\n\n<li>27.110.228.186  <\/li>\n\n\n\n<li>123.231.149.122 <\/li>\n\n\n\n<li>115.127.160.171 <\/li>\n\n\n\n<li> 181.196.16.58 <\/li>\n\n\n\n<li> 45.5.152.39<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>An Italian malspam campaign has been identified with the objective of delivering TrickBot malware via an Excel attachment. The malware has been traced back to the sat1 botnet. TrickBot is a banking trojan developed to steal login credentials for victims&#8217; banking sites through the use of webinjects. Since June 2018, TrickBot has been upgraded with [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2643,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[954],"tags":[57,212,285,307,361],"class_list":["post-2628","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized-it","tag-botnet","tag-malware","tag-rat","tag-sat1","tag-trickbot"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2628","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2628"}],"version-history":[{"count":3,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2628\/revisions"}],"predecessor-version":[{"id":9758,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2628\/revisions\/9758"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}