menu

Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity LabsTrickBot spread by Necurs Botnet, Adds Nordic Countries to its Targets
HomeSecurity LabsTrickBot spread by Necurs Botnet, Adds Nordic Countries to its Targets

TrickBot spread by Necurs Botnet, Adds Nordic Countries to its Targets

At around 09:00 BST yesterday, Forcepoint Security Labs™ observed a significant malicious email campaign from the Necurs botnet. Necurs is a prevalent botnet that is known to spread Locky ransomware, pump-and-dump stock scams, and more recently the Jaff ransomware.

This time, however, Necurs has been observed spreading the Trickbot banking Trojan for the first time. The malicious email campaign ended at around 18:00 yesterday and nearly 9.6M related emails were captured and stopped by our system. The following is a sample screenshot of a related email:

In addition, below are details of this campaign:

Subject Attachment Activity Period (BST)
{two digits}_Invoice_{four digits} {three digits}_{four digits}.pdf 09:00 - 15:00
{eight digits}.pdf {eight digits}.pdf 11:00 - 13:00
{blank subject} SCAN_{four digits}.doc 13:00 - 18:00

For the first two email subjects above, the infection chain is identical to what we have documented for Jaff - an attached PDF file contains a document file with a macro downloader which in turn downloads the Trickbot trojan.

Emails with blank subject, on the other hand, contained a document file with a macro downloader instead of a PDF.

Trickbot Continues to Expand its Targets

Trickbot is a relatively new malware family that is believed to be a successor of the infamous Dyre family. It surfaced in in the wild in September last year, initially targeting banks in Australia and the UK. It has since continually expanded its target countries and banks.

The new campaign from yesterday contained the group tag “mac1”. It downloaded configuration files that contained an updated list of targeted financial institutions. From 51 targeted URLs listed in the “dinj” configuration file just last April, the configuration file now holds 130 targeted URLs. Among these updates are 16 targeted French banks which were prepended to the configuration file. Below is a screenshot of the decrypted configuration file showing this update:

Furthermore, the configuration file now also lists a number of PayPal URLs:

Another configuration file (“sinj”) has similarly been expanded: where it previously listed 109 targeted URLs, the updated one lists 333 URLs. This configuration now includes websites of thirty-four financial institutions in Sweden, Norway, Finland and Denmark.


Protection Statement

Forcepoint™ customers are protected against this threat via Forcepoint Cloud Security, which includes the Advanced Classification Engine (ACE) as part of e-mail, web and NGFW security products. ACE (also known as Triton ACE) provides signature-less analytics to identify malicious intent, including evasion techniques to mask the malware.

Protection is in place at the following stages of attack:

Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
Stage 5 (Dropper File) - Trickbot variants are prevented from being downloaded.
Stage 6 (Call Home) - Attempts by Trickbot to contact its C&C server are blocked.

Conclusion

Trickbot's use of the Necurs botnet to spread itself combined with the expansion of its targeted countries and financial institutions is a clear attempt to escalate its global operations. Malicious email campaigns such as these rely on the weakness of the human point of interaction with systems, with the final payload in this case likely having severe ramifications for those who fall prey to it.

We anticipate that Trickbot will only continue to expand its targets and Forcepoint Security Labs™ will continue to monitor developments to this threat.

Additional analysis provided by Ran Mosessco.

Indicators of Compromise

Download locations

hxxp://mybutterhalf[.]com/7gyb3ds
hxxp://manish-choudhary[.]com/7gyb3ds
hxxp://choralia[.]net/7gyb3ds
hxxp://chqm168[.]com/7gyb3ds
hxxp://shopf3[.]com/7gyb3ds
hxxp://beursgays[.]com/7gyb3ds
hxxp://shreekamothe[.]com/7gyb3ds
hxxp://micolon[.]de/7gyb3ds
hxxp://mytraveltrip[.]in/7gyb3ds
hxxp://xinding[.]com/7gyb3ds
hxxp://musee-champollion[.]fr/7gyb3ds
hxxp://svagin[.]dk/7gyb3ds
hxxp://spocom[.]de/7gyb3ds
hxxp://muldefischer[.]de/7gyb3ds

Trickbot C2

185.6.127[.]134
149.202.30[.]126
212.24.110[.]76

Trickbot SHA-256 Hash

79d96a62622e4efb01fda23cf81b759e0059ad3cd3083acff7fb4174b0b3d40c