2018-08-17 - TRICKBOT UPDATES PROPAGATION FROM INFECTED CLIENT TO DC
ASSOCIATED FILES:
- 2018-08-17-Emotet-plus-Trickbot-infection-traffic.pcap.zip 12.7 MB (12,686,630 bytes)
- 2018-08-17-malware-and-artifacts-from-Emotet-plus-Trickbot-infection.zip 5.2 MB (5,202,029 bytes)
NOTES:
- I saw the same Emotet + Trickbot combo that My Online Security (@dvk01uk) tweeted about this earlier today (link).
- In my case, the follow-up Trickbot spread from my infected client (Alonzo-PC on 172.16.8.205) to its domain controller (Smokejacks-DC on 172.16.8.5).
- Looks like Trickbot updated its method of propagation from the client to the DC--the first time I've seen this method used by Trickbot.
- Before, I would clearly see the Trickbot binary sent over SMB from the infected client to the DC.
- Check here for an example of the way Trickbot moved to the DC previously.
- Today, the infected client used traffic over TCP port 445 to cause the DC to retrieve a Trickbot binary over HTTP to infect itself with.
- I'm not sure of the exact nature of this new Trickbot propagation, but you can see it in the pcap as shown in the images section below.
- I've included Trickbot's "Modules" directory from my infected Windows client in today's malware archive, in case anyone wants to dig deeper.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following URLs and partial URLs:
- hxxp://omlinux.com/889YJN/PAYROLL/Personal
- hxxp://news.digirook.com/OH7l
- hxxp://75.80.225.46:8443/whoami.php
- hxxp://213.183.63.124/worming.png
- hxxp://213.183.63.124/table.png
- hxxp://213.183.63.124/radiance.png
- hxxp://213.183.63.124/toler.png
- hxxp://115.74.177.42:8082/del53/
- hxxp://115.74.177.42:8082/jim292/
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
INITIAL EMOTET INFECTION TRAFFIC:
- 212.83.180.64 port 80 - omlinux.com - GET /889YJN/PAYROLL/Personal
- 212.83.180.64 port 80 - omlinux.com - GET /889YJN/PAYROLL/Personal/
- 101.50.1.11 port 80 - news.digirook.com - GET /OH7l
- 101.50.1.11 port 80 - news.digirook.com - GET /OH7l/
- 203.94.66.109 port 8080 - attempted TCP connections but no response from the server
- 93.88.93.99 port 443 - 93.88.93.99:443 - GET /
- 68.187.50.160 port 80 - attempted TCP connections but no response from the server
- 75.80.225.46 port 8443 - 75.80.225.46:8443 - GET /whoami.php
- 75.80.225.46 port 8443 - 75.80.225.46:8443 - POST /
TRICKBOT INFECTION TRAFFIC CAUSED BY THE EMOTET INFECTION:
- port 443 - api.ipify.org - IP address check by the infected Windows client over HTTPS
- port 80 - myexternalip.com - GET /raw (IP address check by the infected DC)
- 41.193.39.66 port 443 - HTTPS/SSL/TLS traffic
- 92.103.210.13 port 443 - HTTPS/SSL/TLS traffic
- 92.223.105.54 port 447 - HTTPS/SSL/TLS traffic
- 95.213.252.77 port 443 - HTTPS/SSL/TLS traffic
- 158.58.131.54 port 443 - HTTPS/SSL/TLS traffic
- 185.174.173.59 port 447 - HTTPS/SSL/TLS traffic
- 213.183.63.124 port 443 - HTTPS/SSL/TLS traffic
- 213.183.63.124 port 80 - 213.183.63.124 - GET /worming.png
- 213.183.63.124 port 80 - 213.183.63.124 - GET /table.png
- 213.183.63.124 port 80 - 213.183.63.124 - GET /radiance.png
- 213.183.63.124 port 80 - 213.183.63.124 - GET /toler.png
- 115.74.177.42 port 8082 - 115.74.177.42:8082 - POST /del53/ALONZO-PC_W617601.[string of hex characters]/90
- 115.74.177.42 port 8082 - 115.74.177.42:8082 - POST /jim292/SMOKEJACKS-DC_W617601.[string of hex characters]/90
FILE HASHES
MALWARE FROM THE INFECTED WINDOWS HOSTS:
- SHA256 hash: 087f08fbe83404627bbf5e72a0a01ea8f8279120ffa726e5b54767cb2d234266
File size: 87,424 bytes
File description: Downloaded Word doc with macro for Emotet
- SHA256 hash: 69a0e2965831b04fc57d3026088131717e60651620d698aa03f427cb91bb3536
File size: 159,744 bytes
File description: Emotet malware binary
- SHA256 hash: c5bee1f88fdf6e5318e98e2fe1458403e44fdb67714ed45608ba1fc8cc3d1259
File size: 460,800 bytes
File description: Trickbot on infected client, gtag: del53
- SHA256 hash: d856b764fa5be66e9149eea203131200c9e5bd292e0afd9ba81998994d7322a6
File size: 539,136 bytes
File description: Trickbot on infected DC, gtag: jim292
IMAGES
Shown above: No Trickbot EXE in the SMB traffic from client to DC like I've documented before.
Shown above: No SMB traffic from the client to DC's C$ drive like I've documented before.
Shown above: Before the DC retrieves Trickbot from 213.183.63.124/worming.png, we see the URL in traffic over TCP port 445 from the infected client to the DC.
Shown above: That TCP port 445 caused the DC to retrieve the Trickbot binary from 213.183.63.124/worming.png and infect itself with it.
As I mentioned earlier, check here for an example of the way Trickbot moved to the DC previously.
FINAL NOTES
Once again, here are the associated files:
- 2018-08-17-Emotet-plus-Trickbot-infection-traffic.pcap.zip 12.7 MB (12,686,630 bytes)
- 2018-08-17-malware-and-artifacts-from-Emotet-plus-Trickbot-infection.zip 5.2 MB (5,202,029 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.