Government of India

National Critical Information Infrastructure Protection Centre

 

 Date: 09 Nov 2017

Malware Threat Exchange : TrickBoT IOC's

TrickBot banking Trojan has been reported as spreading.The artifact doc000844483739197070806.vbs  (232a38e2113) is a malicious VBA script file. Once executed, the script will construct the following URIs:

URLs:

1.      "http[:]//pluzcoll[.]com/56evcxv?"

2.      "http[:]//elateplaza[.]com/56evcxv?"

3.      "http[:]//provisionbazaar[.]com/56evcxv?"

The script will proceed to download and install an XOR encoded payload from one of the URIs into  "%AppData%\Local \Temp\Qtligcund.exeA." The script will decode and install the payload, which contains PE32 binary into "%AppData%\Local \Temp\Qtligcund.exe" and execute it. The artifact Qtligcund.exe  is the payload decoded and installed during runtime. Once executed, Qtligcund.exe will unpack PE32 binary and execute it in memory. This binary has been identified as a banking Trojan known as the TrickBot loader. Once the
TrickBot is loaded and executed, it will create a mutex named "Global\VLock" and add itself as a task in Windows Task Scheduler. This task scheduler is designed to ensure the application "%AppData%\Roaming\winapp\Pskhfbtmc.exe" is persistently running on the victim system. The configuration file associated with the trickbot contains the bot configuration version number, group tag name, C2 server IPs, and module names.

The bot installs "%AppData%\Roaming\winapp\client_id," which contains a unique ID for the victim system. The generated ID consists of the victim system name, operating system version, and a randomly generated string:

Generated ID format:

Format: "[ComputerName]_[OS version].[a randomly generated string]

Sample: "WIN-49ATNUR66MT_W617601.CC21C985DB63FF0D990561BE0B4D1B05"

The bot communicates with its C2 server (IPs) and send a list of commands to the server using TCP port 443. The  bot command identified as "sent" contains the following information: group tag, unique ID for the victim system, victim system information to the listed C2 servers defined in the configuration file

C2 Server List:
185.80.2.195
210.1.58.190
46.160.165.16
46.160.165.31
197.248.210.150
195.133.201.149
94.140.121.250
83.234.136.55
93.99.68.140
118.91.178.145
168.194.82.174
190.34.158.250
191.7.30.30
163.53.206.187
186.103.161.204
118.91178.114
190.228.169.106
194.87.95.60
94.42.91.27

IOC:

1.      232a38e21135404dd3f74103041f067f (doc000844483739197070806.vbs).

2.      be2865a9dc4a5ad08f0795af79b2811d (Qtligcund.exe).

Intermediary servers:

1.      provisionbazaar[.]com

2.      elateplaza[.]com

3.      pluzcoll[.]com

Recommendations:

1.      Monitor  the domain /IPs in Watch list /block list.

2.      Restrict execution of powershell /WSCRIPT in  enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell,with enhanced logging enabled. script block logging, and transcription enabled.

3.      Application whitelisting using SRP/applocker etc.

4.      Check for suspected/unidentified  Tasks from the task-scheduler and remove accordingly if found.

References:
https://www.reverse.it/sample/32fc7f0bdd243ad4a66fc0fec40055a915725a4ddb62cb0b1b0e55aebb20d450?environmentId=100

-- 
Thanks and Regards,
Knowledge Management System,
National Critical Information Infrastructure Protection Centre,

Block-III, Old JNU Campus, New Delhi - 110067

Ph: 011-26547392

Mob - 9205202012

Website: wwwnciipc.gov.in

Toll Free: 1800-11-4430