This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcement Banner

Users are unable to open Netwitness Support Cases via email. Please open support cases via portal or by phone

View Details
  • NetWitness Community
  • Blog
  • NECURS Malspam Delivers TRICKBOT in July-2017

NECURS Malspam Delivers TRICKBOT in July-2017

KevinStear1
Employee KevinStear1
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2017-07-18 06:31 PM

In the early weeks of July 2017, the Necurs botnet supported a large malspam campaign delivering TRICKBOT via macro-enabled MS Word documents.  While multiple documents were noted in Virus Total submissions, Lloyds Bank was specifically used/mentioned within one decoy document entitled "Protected.doc".

 

 Screen Shot 2017-07-18 at 2.05.57 PM.png

 

These documents all contain macros with malicious VB Scripting that maxes out scoring in RSA's pre-release WhatsThisFile.net, as shown below.  Note the three findings of interest: "Document Contains VBA Code", "VBA Code Contains Auto-Launch Scripts", and "VBA Code Contains Reference to Launching EXEs".  These are all bad things...

 

trickbot-wtf.png

 

Upon opening, the attachment downloads a PNG file that is actually an executable; this is the TRICKBOT payload.  In several instances, we observed multiple download domains involved with this delivery.  In the case below, the first download domain (rbsbuilding[.]co[.]uk) fails with a 404 and a second download domain, ccbenelux[.]nl, successfully delivers our payload, baglosnot32tritony.png.

 

Screen Shot 2017-07-18 at 1.13.01 PM.png

Screen Shot 2017-07-18 at 1.17.28 PM.png

Screen Shot 2017-07-18 at 1.17.49 PM.pngScreen Shot 2017-07-18 at 1.56.34 PM.png

 

Post infection, we did not observe TRICKBOT Command and Control (C2) in our own sandbox detonations (probably due to a delay prior to the begin of periodic 3 minute beaconing).  However, we did note probable C2 check-in behavior in related Virus Total PCAPs, specifically TCP SYNs out to a number of known related IP addresses.  

 

Screen Shot 2017-07-18 at 3.25.14 PM.png

Screen Shot 2017-07-18 at 3.19.20 PM.png

 

This beaconing was also easily observed in NetWitess Endpoint (aka ECAT), where a telling screen shot shows "butrz.exe" creating a suspect "svchost" process every 3 minutes.

 

pasted_image_at_2017_07_18_05_13_pm.png

 

ECAT also flags a number of IOCs that warrant concern.

 

Pasted image at 2017_07_18 05_14 PM.png

 

With regard to the packet detection of TRICKBOT, NetWitness meta data clearly identifies behavior indicative of malicious activity.  Specifically, our macro-enabled MS Word document produces meta for session.analysis of "first carve not dns", service.analysis of "http no user-agent" and "http no referrer", file.analysis of "exe filetype but not exe extension".  This are all strong indicators that something malicious is going down.

 

Screen Shot 2017-07-18 at 1.13.23 PM.png

 

As referenced in the opening, this activity appears to be part of a larger ongoing TRICKBOT campaign; below is some related activity we have observed thus far in the month of July.

 

Screen Shot 2017-07-18 at 3.35.36 PM.png

 

All related IOCs have been pushed to the FirstWatch_C2_Domains and FirstWatch_C2_IPs feeds and are available to customers via RSA Live.  Thanks to Ahmed Sonbol‌, Christopher Ahearn and Prakhar Pandey for their assistance with this analysis.

 

FirstWatch_banner.png

 

Thanks for the banner picture @Vitali Kremez (@VK_Intel) | Twitter.

  • ECAT
  • malspam
  • necurs
  • netwiness
  • NetWitness
  • NW
  • NWP
  • rsa firstwatch
  • RSA NetWitness
  • RSA NetWitness Platform
  • trickbot
1 Like
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.