Discover and read the best of Twitter Threads about #Trickbot

Most recents (16)

The #ContiLeaks contained some messages consisting of IP:Username:pass combinations for #Conti infrastructure.
This allows us to connect certain #Trickbot activcity with the #Conti group:

1/x Image
The IP's in the image are the following:
117.252.69[.]134
117.252.68[.]15
116.206.153[.]212
103.78.13[.]150
103.47.170[.]131
103.47.170[.]130
118.91.190[.]42
117.197.41[.]36
117.222.63[.]77
117.252.69[.]210

2/x
Using @MaltegoHQ together with OTX/Alienvault and
@virustotal integration, we are able to connect several of these IP's to #Trickbot activity:

3/x Image
Read 8 tweets
Interesting #maldoc
#TrickBot is distributed using a maldoc that uses #Emotet Template:

Process:
- It drops a small dll (1.xml) and executes its by creating an Outlook instance that calls rundll to execute 1.xml
- Drops a PS file and executes it
- Downloads and executes TrickBot ImageImageImage
Maldoc:
b2859b4165a3047632174c1cd26b6756

1.xml:
8de70541621842ae7e3e6e21b41ee155

TrickBot download urls:
http://91.92.109.142/wolf.png
http://192.99.255.33/images/wolf.png
http://83.138.53.103/images/wolf.png
http://172.96.189.216/images/wolf.png
TrickBot:
ad5ad0ce03a4de9de5829cdf2ec78d59
b4dcf8f35e2ba2fa4af1ec6c95d4c179
efaf7ddf9bc9398f18c76bf16e23755e
ff1f685e2a3381d277e71580e1166b06
a051cc64e345d440606d3c28463b8f95
Read 3 tweets
ICYMI, @PwC_UK’s 2020 #threatintel Year in Retrospect report is out now! All team contributed but h/t to @KystleM_Reid! :fire: You can check it out here: pwc.to/2ZPx7fo In this thread, I will summarise some of what I thought were key findings: 🧵👇 1/n
#Ransomware has become the most significant cyber security threat faced by organisations, irrespective of industry/location. TTPs have pivoted to mass data exfiltration prior to encryption, along with leaks & extortion. S/o to @andyp346 for all your work countering this.🙏 2/n
In 2020, 86% of the incidents that PwC’s Incident Response team responded to were attributable to cyber criminals. 79% of leaks happened in 2nd half of 2020. Our data sees Manufacturing, TMT, & Professional Services most impacted. 3/n
Read 19 tweets
Happening NOW! You can still join us here, and I'll be live-tweeting what @Robert_Lipovsky and @adorais share. sans.org/webcasts/star-… Image
.@Robert_Lipovsky kicking off with something I believe as well...crimeware is a greater threat to most orgs than state-sponsored threats. Even this week!
Many cyber crimes involve different jurisdictions - rarely is adversary infrastructure all in the same country, so law enforcement and private industry have to cooperate globally.
Read 28 tweets
2020-12-03:🔥 And ... [Major Discovery] 🤖"Persist, Brick, Profit -#TrickBot Offers New “#TrickBoot” UEFI-Focused Functionality"

🆕*First* Time Crimeware Group Pursued UEFI Firmware Exploitation | #YARA+IOCs in MISP JSON/CSV

@eclypsium | @IntelAdvanced
advanced-intel.com/post/persist-b…
📚:

1⃣TrickBoot is only one line of code away from being able to brick any device it finds to be vulnerable.
2⃣Historically, TrickBot actors have needed to evade and persist at the OS level - now a chance at UEFI level.
3⃣Actors are going lower in the stack to avoid detection.
✅Evolution of criminal intent:

⚓️Deep persistence achieved via UEFI/BIOS level to survive long-term on the host

⚡️New Incident Response Paradigm Shift:

*Firmware integrity checks might be particularly important for device that is known to have been compromised by TrickBot.*
Read 4 tweets
🚨 We have a credible report of an imminent #cyber threat to the #healthcare industry: go.usa.gov/x7jKz

Some facilities have already been infected with ransomware over the last week. Here’s what we know. (1/4)
Since 2016, the cybercriminal enterprise behind #Trickbot, #Ryuk, and other ransomware tools have continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization. (2/4)
What began as a banking trojan and descendant of #Dyre malware, now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. (3/4)
Read 4 tweets
"salesforce.docx" uploaded yesterday
Low static detection (4/60): virustotal.com/gui/file/17f73…
Embedded executable "salesforce_report.exe"
• election-themed PE data
• CMSTPLUA UAC bypass
• probably #Trickbot 🤹🏽‍♂️🤖
• comms with: 181.112.157[.]42:449 (that cert 👀) & 193.26.217[.]243 ImageImageImage
"salesforce.docx"
MD5: ab284dccb09484ff6a3a116152edcb75

"salesforce_report.exe"
MD5: 3e0aff10a361a752ab160228410f2432
<Not on VT>
I've shared here:
@anyrun_app: app.any.run/tasks/02c2ef89…
@virusbay_io: beta.virusbay.io/sample/browse/…
@anyrun_app @virusbay_io I think this fresh sample uses the old CMSTPLUA UAC bypass from @hFireF0X: gist.github.com/hfiref0x/196af… (blast from the past!)
Personally, I haven't done much #Trickbot binary triage - so I don't know how/what else to extract (like configs, campaign codes).
Read 4 tweets
1/6
Based on the evidence published, some bullets in Everis case:

#Ryuk not was involved, the ransome note is different.

#Ryuk/#Bitpaymer take long time to been deployed.

#Ryuk has been saw in combination of #Emotet->#Trickbot.
2/6
0day Bonjour Updater
Oct 10, Morphisec published “the abuse of an Apple zero-day vulnerability in the Apple Software Update utility that comes packaged with iTunes for Windows” , related with #Bitpaymer adversaries.
3/6
BlueKeep
Over the weekend @GossiTheDog, report that his honeypot saw activity related with Bluekeep, working with @MalwareTechBlog they found that the final payload is a #MoneroMiner. Some IOC's shared today are related with this activity.
Read 8 tweets
Today we’re seeing a massive "Incoming transfer" spam campaign. The email body is blank, but the attachment is a document with malicious PowerShell that connects to malicious URLs to download a new variant of banking Trojan #Totbrick (#Trickbot). Image
Microsoft Word opens the document in Protected View, hence the instructions to "unlock the document" by clicking "Enable Editing". Don't! (SHA-256: 12dbd0cba4d5caf353f57a5d31ebb14d56d71ff410d58ef69391724ffef3002f, 7ea2df3db0c33dcca5a5634d6433f42d0ea4d9e0a23b865f27b39994cc20c4a3) Image
Windows Defender AV detects and blocks the document as TrojanDownloader:O97M/Powdow.KE. The payload is detected and blocked as Trojan:Win32/Totbrick (SHA-256: fc259872826dbe0cf623abbb2e886e4d877641add6d41b0121c121ade916c446)
Read 3 tweets
As researchers like @dvk01uk noted, multiple spam campaigns are delivering malicious document attachments that exploit several vulnerabilities to install banking trojan #Trickbot. The spam emails spoof several banks, including Barclays and Scotiabank. ImageImage
The attachment is a malicious .docx file that exploits CVE-2017-0199 to download a malicious .rtf, which in turn exploits CVE-2017-8570 to drop a malicious PowerShell, and CVE-2017-11882 to run the said PowerShell, which downloads #Trickbot. ImageImage
Protected view can prevent automatic execution of malicious documents. Office365 ATP blocks the malicious emails. Windows Defender AV blocks malicious documents and payload. Attack surface reduction in Windows Defender Exploit Guard can also help protect. blogs.technet.microsoft.com/secguide/2018/…
Read 3 tweets
Online banking #Trojan #TrickBot once again the payload of new #spam campaign; watch out for these emails in French Image
Attachment is script downloader; SHA256: 5ad6ef9af53e80604996e81279f075ff190eadcc3d163ace238cd9dca6840ffd
Payload is Trojan:Win32/TrickBot.A; SHA256: 16d8c3a87e5afe7224f255e32e9b99b97eaa0306f6e06e81f78ea13fbd042693
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!