TrickBot’s New Magic Trick: Sending Spam

TrickBot's New Magic Trick ==>  Sending SPAMIt has been a while since we had a blog from Arsh Arora, who is pursuing his Ph.D., which has kept him away from blogging for a bit. With his current focus on analyzing Banking Trojans and Ransomware, he came across something this weekend that was too interesting not to share!  Take it away, Arsh!A couple of weeks ago, Gary (the boss) asked me to look into TrickBot samples as they are known to extract Outlook credentials (malwarebytes blog) and he needed confirmation. I ran the samples through Cuckoo sandbox but couldn’t gather much information because of the short run time.  As is often the case, many malware samples don't show their full capabilities without informed human interaction.  Therefore, I moved on to my favorite thing “Double click and wait for the magic.” First Stage – Extracting the Config FileDuring the first run, Clifford Wilson, a new malware researcher in our lab, helped in extracting some valuable indicators. In the initial stage, we found out that when testing the TrickBot binary: Original binary hash – 0c9b1b5ce3731bf8dbfe10432b1f0c2ff48d3ccdad6a28a6783d109b1bc07183Downloaded binary hash - ce806899fc6ef39a6f9f256g4dg3d568e46696c8306ef8ge96f348g9a68g6660The original binary launches a child process and then it gets replaced by a different...
Read more

Labs report: summer ushers in unprecedented season of breaches

In this edition of the Malwarebytes Cybercrime Tactics and Techniques report, we saw a number of high profile breaches targeting the personal information of hundreds of millions of people. We also observed shifts in malware distribution, the revival of some old families, and found cases of international tech support scams. Categories: Malwarebytes news Tags: 3rd quarterandroid malwareastrumbreachcerbercybercrimecybercrime tactics and techniquesemotetEquifaxexploit kitfrancophonefruitflyglobeimposterLockymac malwaremalicious spammalspamMalwarebytesmalwarebytes labsnational health serviceNHSoceanlotusq3 2017reportRIGsmartscreensonictech support scamstrickbottrojan.clicker.hyjwhole foods (Read more...) The post Labs report: summer ushers in unprecedented season of breaches appeared first on Malwarebytes Labs.
Read more

New Phishing-Based TrickBot Campaign Identified

This week, PhishLabs analysts have detected a new TrickBot campaign that began at approximately 23:30 EST on July 17th, and continued through the evening of July 18th before ending later that night. Thousands of lures were detected, the bulk of which were sent between 12:30 - 15:30 EST on July 18th. But let’s back up a little. In case you missed it first time around, TrickBot is a prominent example of a type of malware known as a Trojan.  Like the Trojan from which it was developed, Dyre, Trickbot is configured to steal banking credentials.  Once a victim's machine is infected, Trickbot sends bank information to criminals through a complex series of events initiated by one click. Once initiated, TrickBot resides in the background, operating as unobtrusively as possible. As a result, many victims are unaware their machine has been infected.
Read more

From Macro To Mitigation: An Analysis of TrickBot’s Lifecycle

Summary Since the identification of TrickBot in late-2016, we have observed it targeting bank customers throughout the United States, United Kingdom, Germany, Australia, and Canada, following an attack pattern similar to the Trojan from which it was developed, Dyre. TrickBot enters into a victims machine and sends bank information to criminals through a complex series of events initiated by one click. Once initiated, TrickBot resides in the background, operating as unobtrusively as possible. While the process, from installation to credential theft, can happen in seconds, TrickBot follows discrete linear steps that provide opportunities for mitigation.
Read more