You can follow the HTTP stream for this HTTP request and find indicators this is an executable file as shown in Figure 8 and Figure 9. This is the initial Windows executable for Trickbot. įigure 7: Checking the extracted zip archive and its contents.Īn HTTP request to 15 returned a Windows executable file. The command to identify the file type is file, while the command to find the SHA256 hash of the file is shasum -a 256. In this case, the content is a Windows shortcut file, which you can also confirm and get the SHA256 hash as shown in Figure 7. In a BSD, Linux, or Mac environment, you can easily confirm the extracted file is a zip archive, get the SHA256 hash of the file, and extract the contents of the archive in a command line environment. You can export the zip archive from the traffic using Wireshark as shown in Figure 5 and Figure 6 using the following path:įigure 5: Exporting HTTP objects from the pcap.įigure 6: Exporting the zip archive from the pcap. In Figure 4, you can also see the name of the file contained in the zip archive, InvoiceAndStatement.lnk. In the HTTP stream, you will find indicators that a zip archive was returned as shown in Figure 4.įigure 3: Following the HTTP stream for the request to Figure 4: Indicators the HTTP request returned a zip archive. Follow the HTTP stream for the request to as shown in Figure 3 to review the traffic. Unique to this Trickbot infection is an HTTP request to that returned a zip archive and an HTTP request to 15 that returned a Windows executable file. HTTPS/SSL/TLS traffic over TCP ports 447 and 449.An IP address check by the infected Windows host.Review the traffic, and you will find the following activity common in recent Trickbot infections: Use your basic filter to review the web-based infection traffic as shown in Figure 2.įigure 2: Pcap of the Trickbot infection viewed in Wireshark. Extract the pcap from the zip archive using the password infected and open it in Wireshark. The pcap is contained in a password-protected zip archive named. A pcap for the associated Trickbot infection is available here.įigure 1: Flowchart from a Trickbot infection from malspam in September 2019.ĭownload the pcap from this page. The zip archive contained a Windows shortcut file that downloaded a Trickbot executable. In this example, the email contained a link that returned a zip archive. In some cases, links from these emails return a zip archive that contains a Trickbot executable or downloader.įigure 1 shows an example from September 2019. These files may be Windows executable files for Trickbot, or they may be some sort of downloader for the Trickbot executable. Emails from these campaigns contain links to download malicious files disguised as invoices or documents. Trickbot is often distributed through malspam. You should already have implemented Wireshark display filters as described here. Note: Today’s tutorial requires Wireshark with a column display customized according to this previous tutorial. This tutorial reviews pcaps of Trickbot infections caused by two different methods: a Trickbot infection from malspam and Trickbot when it is distributed through other malware. Trickbot is distributed through malicious spam (malspam), and it is also distributed by other malware such as Emotet, IcedID, or Ursnif. This tutorial offers tips on how to identify Trickbot, an information stealer and banking malware that has been infecting victims since 2016. When a host is infected or otherwise compromised, security professionals with access to packet captures (pcaps) of the network traffic need to understand the activity and identify the type of infection.
0 Comments
Leave a Reply. |