Sign In with your
Trend Micro Account
需要協助?
需要協助?

若您需要技術支援,請 按此建立案件。

Trickbot resurges as part of Emotet's secondary infection

    • 更新於:
    • 23 Oct 2019
    • 產品/版本:
    • Deep Security 11.0
    • Deep Security 11.1
    • Deep Security 11.2
    • Deep Security 11.3
    • Deep Security 12.0
    • Email Encryption Gateway
    • OfficeScan 11.0
    • OfficeScan XG
    • Worry-Free Business Security Standard 10.0
    • Worry-Free Business Security Standard 9
    • Worry-Free Business Security Standard 9.5
    • 作業系統:
概要

Trickbot was first discovered on August 2016 as a banking Trojan which infected computers to steal email passwords and address books to spread malicious emails from compromised email accounts. It had developed new capabilities and techniques with new modules to trick users into revealing their online banking credentials. It then exfiltrate and receive the information on the attacker’s side.

Trickbot now has an additional spamming module which is known as “TrickBooster” which sends spam mails from infected computers to increase the spread of Trickbot infections. It then removes the sent messages from both outbox and sent item folders to avoid detection. It is commonly distributed in spearphishing attacks by using fake invoices and bank documents. This malware can also leverage a vulnerability in Server Message Block (SMB) to quickly propagate to other systems on the same network. Emotet, another widespread Trojan malware is also known to drop Trickbot as part of its secondary infection in Emotet-infected machines.

Behaviors

  • Dropped by Emotet’s Malware-as-a-Service capability as part of secondary infection
  • Remains undetected by user and gains persistence by creating a Scheduled Task
  • Takes advantage of open redirections and server side injections to steal login information from user’s banking session
  • Steals user data such as login state, website preferences, personalized content
  • Steals remote desktop application credentials, email credentials, internet browser credentials
  • Steals computer data operating system (OS) information, memory information, user accounts, installed programs, installed services, network information
  • Steals information regarding Point-of-Sale (POS) systems in the network
  • Disables Windows Defender and lowers down machine security

Capabilities

  • Information Theft
  • Exploits
  • Propagation

Impact

  • Financial loss – steals banking information
  • Compromise system security - can disable someone’s security software
  • Violation of user privacy - gathers and steals user credentials of various applications

Infection Chain

Infection Chain

Sample: Invoice attachment spam

Sample Spam

Additional reference

Threat Encyclopedia - TrojanSpy.Win32.TRICKBOT.TIGOCDC

詳情
Public
Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionYesAS Pattern 4984October 17, 2019-
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes15.435.00October 16, 2019-
Predictive Learning (TrendX)YesIn the Cloud-

Downloader.VBA.TRX.XXVBAF01FF005
Troj.Win32.TRX.XXPE50FFF031
Troj.Win32.TRX.XXPE50FFF031P0005
Troj.Win32.TRX.XXPE50FFF032

File detection (VSAPI)YesENT OPR 15.435.00October 16, 2019

TrojanSpy.Win32.TRICKBOT.SMB1.hp
Trojan.BAT.TRICKBOT.AMS
Trojan.PS1.TRICKBOT.AA
Trojan.VBS.TRICKBOT.K
Trojan.W97M.TRICKBOT.F
Trojan.Win32.TRICKBOT.ENC
Trojan.XML.TRICKBOT.BH
TrojanSpy.MSIL.TRICKBOT.AF
TrojanSpy.Win32.TRICKBOT.TIGOCDZ
TrojanSpy.XML.TRICKBOT.TIGOCAY

Network PatternYesNCIP 1.13637.00
NCCP 1.13601.00
March 20, 2019HTTP_TRICKBOT_REQUEST
Behavioral Monitoring (AEGIS)YesTMTD OPR 1761March 12, 2018-
Premium
Internal
評價:
分類:
Remove a Malware / Virus
解決方案ID:
000151175
評定這個解決方案
本文是否幫助解決您的問題?

感謝您的意見!

請留下您的Email方便進一步的聯繫,協助我們改進文章內容:
我們不會透過以上Email寄送任何可能騷擾您的垃圾信.

本意見調查系統為自動運作,將不會回覆如銷售、技術、產品等一般問題.

若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.