Emotet’s away but Trickbot still wants to play

Emotet went on break again this year over the Winter holiday’s with the last new malspam having been seen back on 12.20.19.

**Post update, yes I know Emotet came back alive this morning 01.13.20 but I wrote this first, and it was interesting to look into during the emotet break**

But this past week ran into some samples that were out of the ordinary for what we normally see (ie lots of emotet), so decided to give them the full treatment.

First thing of note was that they indeed had the hallmarks of a malicious document claiming to be money transfers in the emails, and they indeed had word documents laced with macros. But unlike the traditonal macor that we come across that are some variant of getting word to use wmi or cmd.exe to execute powershell here something else was going on.

Above macro contents from document

Looking at the strings in the document there are continued signs of maliciousness but quite obfuscated that the intentions are still unclear.

So we move onto detonation. We see the author letting us know that this is and “encrypted” document and it is ***totally*** safe to open… 🤨

Once you enable content on the document you are greeted by an obtuse grey popup box.

So whats really going on here? Let’s take a look at the logs.

Upon enabling content word spawns wscript and begins to execute a jse file in the users AppData\Roming dir. What is in that jse file you might wonder? Why it happens to be the same content we saw in the strings output of the word document, on other words bringing its own payload.

Next after a quick check with the C2 instructions are provided to deploy the next stage Trickbot.

Trickbot appears to get compiled locally on the system as the file 402665839x.com is the exactly the same as the later รดรข.exe which is the persistent installation of Trickbot.

Finally at the endpoint level we see reconnaissance occur looking for local system and Active Directory information.

What can we tell though from a network perspective? On our network we have a Suricata sensor running the ET Open ruleset, and we saw quite a few signature hits.

With the http traffic we can extract the Trickbot gtag identifier, in this case “sat2”

To learn more about the breakdown of trickbot url’s check out this presentation from Botconf2018 by Joie Salvio of Fortinet.

And from the POST activity we can see the data that trickbot collects from the infected endpoint and returns to the bot masters.

Conclusion time, make sure your EDR/Monitoring solution can catch Word spawning suspicious processes and alert or contain on that activity. I’m using Wazuh in my lab environment and custom signatures that I write. Deploy the Feodo’s C2 list, potentially by using Proofpoints ET Open rules with Suricata. Have questions find me on twitter @laskow26.


Full MISP event: https://github.com/Hestat/intel-sharing/tree/master/trickbot-01-13-20