2018-07-18 - QUICK POST: TRICKBOT INFECTION WITH TOR TRAFFIC AND NEW MODULE

ASSOCIATED FILES:

NOTES:

  • 2018-07-11 - @VK_Intel reported an .onion domain in config data from a Trickbot sample (link to tweet).
  • Others on Twitter notice these .onion domains in Trickbot configs.
  • 2018-07-16 - @VK_Intel posts "Let's Learn: Decoding Latest "TrickBot" Loader String Template & New Tor Plugin Server Communication" (link).
  • 2018-07-18 - I've generated Trickbot infections this past week, but today is the first time I've noticed Tor traffic during the infection.
  • 2018-07-18 - Today is also the first time I've noticed the NewBCtestDll64 module in my Trickbot-infected Windows hosts.

 

IMAGES


Shown above:  I saw a new "BackConnect" module in Trickbot today.

 


Shown above:  I also saw some Tor traffic in today's infection.

 


Shown above:  Trickbot also infected the domain controller in this AD environment.

 


Shown above:  Export SMB objects from this pcap...

 


Shown above:  And you'll find a Trickbot binary sent over SMB.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.