April 25, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – NetWire RAT Installed via Malspam Campaign
April 6, 2020Rewterz Threat Alert – Phishing Campaign Uses COVID-19 to Spread LokiBot
April 6, 2020Rewterz Threat Alert – NetWire RAT Installed via Malspam Campaign
April 6, 2020Rewterz Threat Alert – Phishing Campaign Uses COVID-19 to Spread LokiBot
April 6, 2020
Severity
High
Analysis Summary
TrickBot is a banking Trojan which targets sensitive information and acts as a dropper for other malware. Trickbot is usually spread via malicious malspam campaigns. These campaigns send unsolicited emails that direct users to download malware from malicious websites or trick the user into opening malware through an attachment. TrickBot is also dropped as a secondary payload by other malware. The malspam campaigns that use Trickbot use branding familiar to the recipient, such as invoices from accounting and financial firms. The emails typically include an attachment, such as a Microsoft Word or Excel document. The opened attachment will prompt the user to enable macros, which executes a VBScript to run a PowerShell script to download the malware.
Impact
- Credential theft
- Exposure of sensitive data
- Financial loss
Indicators of Compromise
MD5
- 44e2946d58a37fc9ed0650f60d0979f9
- 44e2946d58a37fc9ed0650f60d0979f9
- 71c1521799c96c9946afd9214e449c94
- 85fb47d7fd559eaf98ca59ed11010135
- 22e5eef02bece623d8ba31cb37b2190c
- 8844f6a4d3a3a1b19c06dfe2263a84d4
- c47be0b93b3cad4a244a0d5179eab6fb
- d23ba17ea3ba79fffec713ce4dbccc62
- 1aeb9d313f38f7f9d413b1c4cb5f157a
- 37543830d2a7f971c11fed7c8a61dd9e
- 3bfb3d75e5b698c712169ed2b9643225
SHA-256
- 556770bfe263377a4f606f32e9980f877e1add114b45151168ecfb29a43d3caf
- 77d8e1a86de34ece7e022651592aeedc3d32d0b022c1fe5d34a403e13afa8d5e
- 1e06147d3b53b78178d0fa85848a9e328ccc05b86858d988f95d65e335bf5c37
- a22e263d2147de6d8c0ce04ea05de456372c158d292eca57858880e6c56f9ca7
- 7f3a683b0915145bab2cb7f2dd9917b42be5d65a5800536a232484050715fb4b
- dfea3d7607e72d4dff86be0ba30ec0620dc54d5d2a50799bbefe1e495e9accdd
- 278b9d608f2955958f7a720cbfca2c82b88d4f4c2926e177c8dfda5396da55e3
- aa49e93bfe0e50f99af50ab760d6a237ee0d987e2ea7368db9e86b2c14a3ca02
- ac2be189a0ebdf33e9ec1e39d716070e73f444e7e871a38f88b2fc3c5e6f76a7
- 0b9503a8d8d9513d1e93a7020a09fae85976721e3bc42b84ba1986a3c812d9b4
SHA-1
- f7e952192b6f76a083ce354cac3d3f9c77346087
- 3ef000cb90ab638ab0bae542c2d6e8e6ec146c53
- fd4c3179bab6b9750c74de27af101ea3951c82a5
- 0e29a1f93b003c31af46ab1ab7c8d3df150123e0
- 888a8fdc539c0f4cf379ad7136159aa37a4411e6
- 38b0be25553c3f177cbf709dd144787ae98e1680
- 257cac6de94e54a7aecca28a08cac6fd3fded9b7
- f56a5c00673b56ed2fff1a95ddab34a738405717
- 497c7b348760a174de2d003ac37e23797219e4f1
- 9a6e23b7aad977f0aa1f200968fe1c2a2d0d244f
Remediation
- Block all threat indicators at your respective controls.
- Do not download email attachments from untrusted email senders.