Rewterz Threat Advisory – Adobe Fixes 13 Vulnerabilities in Reader and Acrobat
March 18, 2020Rewterz Threat Advisory – Cisco SD-WAN Solution Vulnerability
March 19, 2020Rewterz Threat Advisory – Adobe Fixes 13 Vulnerabilities in Reader and Acrobat
March 18, 2020Rewterz Threat Advisory – Cisco SD-WAN Solution Vulnerability
March 19, 2020Severity
High
Analysis Summary
Trickbot is an information stealer/banking malware that uses modules to perform different functions. With Windows 10, these modules are loaded into memory, and we only see initial Trickbot binary and a text-based configuration file stored on the infected Windows 10 host.Access to Trickbot-infected hosts is granted to other criminals groups to distribute other malware like Ryuk ransomware. This sort of follow-up malware has previously been noted in conjunction with Powershell Empire traffic and/or Cobalt Strike activity on a Trickbot-infected host.
Flow chart for this specific gtag red5 Trickbot infection chain
Impact
- Credential Theft
- Unauthorized Remote Access
- Information theft
- System takeover
Indicators of Compromise
Domain Name
- api[.]ipify[.]org
MD5
- a98c28d9666e6050b2c76d0062342078
- 62ded00158221fd7b3e678b9d9edbd7b
- 0c7cecfb65b75141f98a0485c2e9849e
- 64574f1a3b4d554322279a238c7943f1
- 5ac573a39dbf6b4c6e0ad9a45ae70419
- bfa4848b24e4266201aee7a54465a6c3
SHA-256
- c0fe570561cc3546ed7e03523baf5e482ec9ee98e6a8de161fdc885f6721f0a0
- 36ef77fe7b4a27813c8149674565f60aceb2fa9510e04732ef53367ce3dc567a
- 08b885ccc3eda61a918bd1887b7669e54d03be79a3accae765c10cd0850ff10d
- 445716d2fdd0cc8927c02bda53f44cba82f3a934d1a6cb9163760544b3e515e9
- efb75ce7030fc32190909048fcb3fab024cb8779b9559a417b8d397352ae6ea2
- 3850e5731f9f1430eafd477b5e0607aad48f80bb28e32d163b941414db7f1695
Source IP
- 203[.]176[.]135[.]102
- 51[.]89[.]115[.]101
- 51[.]254[.]164[.]245
- 64[.]44[.]51[.]113
- 181[.]129[.]104[.]139
- 146[.]185[.]253[.]176
- 46[.]4[.]167[.]250
URL
- http[:]//51[.]89[.]115[.]101/images/cursor[.]png
- http[:]//51[.]89[.]115[.]101/images/imgpaper[.]png
- http[:]//203[.]176[.]135[.]102[:]8082
Remediation
- Block the threat indicators at their respective controls.
- Do not download untrusted files from emails or internet.
- Do not enable macros for untrusted files.
- Closely monitor ports 443, 447, 449, 8082 and 80, and keep them closed where not needed.