Government
of India National
Critical Information Infrastructure Protection Centre |
Date:
09 Nov 2017 |
Malware
Threat Exchange : TrickBoT IOC's
TrickBot banking Trojan has been reported
as spreading.The artifact doc000844483739197070806.vbs
(232a38e2113) is a malicious VBA script file. Once executed, the script
will construct the following URIs: 1. "http[:]//pluzcoll[.]com/56evcxv?" 2. "http[:]//elateplaza[.]com/56evcxv?" 3. "http[:]//provisionbazaar[.]com/56evcxv?" The script will proceed to download and
install an XOR encoded payload from one of the URIs into "%AppData%\Local
\Temp\Qtligcund.exeA." The script will decode and install the
payload, which contains PE32 binary into "%AppData%\Local \Temp\Qtligcund.exe"
and execute it. The artifact Qtligcund.exe is the payload decoded
and installed during runtime. Once executed, Qtligcund.exe will unpack
PE32 binary and execute it in memory. This binary has been identified as
a banking Trojan known as the TrickBot loader. Once the Generated ID format: Sample: "WIN-49ATNUR66MT_W617601.CC21C985DB63FF0D990561BE0B4D1B05" C2 Server List: 1. 232a38e21135404dd3f74103041f067f
(doc000844483739197070806.vbs). 2. be2865a9dc4a5ad08f0795af79b2811d
(Qtligcund.exe). Intermediary servers: 1. provisionbazaar[.]com 2. elateplaza[.]com 3. pluzcoll[.]com Recommendations: 1. Monitor
the domain /IPs in Watch list /block list. 2. Restrict
execution of powershell /WSCRIPT in enterprise environment Ensure
installation and use of the latest version (currently v5.0) of
PowerShell,with enhanced logging enabled. script block logging, and
transcription enabled. 3. Application
whitelisting using SRP/applocker etc. 4. Check
for suspected/unidentified Tasks from the task-scheduler and
remove accordingly if found. |
-- Block-III,
Old JNU Campus, New Delhi - 110067 Ph:
011-26547392 Mob
- 9205202012 Website: wwwnciipc.gov.in Toll Free: 1800-11-4430 |