Thor Premium Image

It's finally possible to have total, next-gen security against ransomware, malware and other threats.

Discover Thor Premium Home
and take advantage of the one-time deal.

Buy now Only

200

licenses left!
CYBER SECURITY ENTHUSIAST

You may remember Trickbot, the financial Trojan that made its appearance in the past targeting a lot of US banking companies, including big names like PayPal. Authors of Trickbot are persistent and continue to find new ways to harvest users’ valuable data. Recently, researchers discovered this spam email campaign in which malicious actors have decided to resort to spoofing Dropbox.

Security researchers analyzed a new spam email campaign delivering the Trickbot malware that claims to come from the legitime Dropbox website but actually coming from a look-a-like site.

The unwanted email is delivered with the following details (sanitized for your own protection):

From: Dropbox <no-reply @ dropboxsec [.] Com>

Subject line:

A new document is available for download

Content:

<Hello,

Your company administrator has uploaded a secure document for you or your company.

Your ID: [email adress]

Your unique download key: 6M4V74YEVMDHGR

This string of letters and numbers is a unique ID for the document you received.

To view or print the document please click here [link til dropboxsec[.]com]

The document associated with this unique ID opens. You can now sign, download and save, print, and perform “More” actions on the document, depending on the permissions the sender has given you.

Please contact your administrator for more information.

Thanks,

– The Dropbox Team>

How the infection happens

If a user is being lured into clicking on the malicious link, then a specially crafted and harmful document is delivered, via the following URL that could look like this one:

https: [//] dropboxsec [.] net / 6M4V74YEVMDHGR. doc

If the macro code in the malicious Word document is enabled by an invisible recipient, Trickbot will be retrieved from the following URLs (sanitized for your own safety)

http: // techknowlogix [.] net / farestod.png
Http: // pcstore.com [.] ve / farestod.png

This TrickBot variant is linked to the main bot that has the id (given group tag) “tt0002”, and the version number 1000147. It comes with several modules, including configuration files in an encrypted form.

With the help of a COM server, it creates a “task” that can execute the Trickbot payload after a restart of the machine via  “AppData \ Roaming \% client_id%”.

Trickbot uses the API “GetNativeSystemInfo” or “wProcessorArchitecture” as it uses to determine whether it is 32-bit or 64-bit environment / CPU.

Here’s how the configuration file showing the previously mentioned C&C servers is displayed. These servers are used by malicious actors to maintain communications with compromised systems:

<Mcconf>
<Ver> 1000000 </ ver>
<Gtag> tt0002 </ gtag>
<Servs>
[C & C: [port]] </ Servs>
<Autorun>
<module name = “systeminfo” ctl = “GetSystemInfo” />
</ Autorun>
</ Mcconf>

Heimdal Security proactively blocked these infected domains (and malicious emails), so all Heimdal PRO and Heimdal CORP users are protected.

According to VirusTotal, only 17 antivirus products out of 56 have managed to detect this spam email campaign at the time we write this security alert.

VirusTotal analysis

How to stay safe from banking trojans

Trickbot is known for its banking trojan features and the various ways used by cyber criminals to steal users’ personal information and harvest their sensitive data.

We recommend you:

  • Always have your operating system, and all your apps and other software programs, updated because it’s the first place where malicious actors look to exploit flaws.
  • Once again, we urge you: don’t open emails or click on suspicious files/attachments;
  •  Keep a backup with all your important data on external sources like a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. This guide shows you how to learn how to do it;
  • Setting up a good, strong password is one of the best cybersecurity advice coming from security experts, and this security guide comes in handy;
  • Try to run software programs with non-administrative user accounts and remember to disable macros in the Microsoft Office package;
  • Make sure you have a reliable antivirus program installed on your PC to protect your valuable data from online threats;
  • It would be safer to add multiple layers of protection and use a proactive cyber security software;
  • Prevention is the best cure, so you should learn as much as possible about how to easily detect spam emails. These free educational resources might help you gain more knowledge in the cybersecurity landscape.

*This article features cyber intelligence provided by CSIS Security Group researchers.

emotet trickbot internet worm
2017.08.08 INTERMEDIATE READ

Emotet and Trickbot Banking Trojans Acquire Internet Worm Capabilities

banking Trojan
2017.06.16 SLOW READ

How A Banking Trojan Does More Than Just Steal Your Money

Financial Data Protection
2016.04.19 INTERMEDIATE READ

15 Steps to Maximize your Financial Data Protection [Updated]

Comments

That the most knowledgeable blog. if you are in the need for the ways to delete browsing history so you can easily visit here http://deletebrowsinghistory.net/ which is an provide most useful information as i have visited here few days was an great experience.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
Thor Premium Image

It's finally possible to have total, next-gen security against ransomware, malware and other threats.

Discover Thor Premium Home
and take advantage of the one-time deal.

Buy now Only

200

licenses left!