2018-10-15 - QUICK POST: CHANGES IN TRICKBOT SEEN TODAY

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Traffic:  2018-10-15-Trickbot-gtag-jim332-infection-traffic.pcap.zip   17.8 MB (17,771,030 bytes)

• 2018-10-15-Trickbot-gtag-jim332-infection-traffic.pcap   (19,521,364 bytes)

• Malware and artifacts:  2018-10-15-Trickbot-malware-and-artifacts.zip   12.1 MB (12,117,614 bytes)

• 2018-10-15-Trickbot-binary-gtag-jim332.exe   (316,035 bytes)
• 2018-10-15-Trickbot-binary-gtag-lib332.exe   (316,035 bytes)
• 2018-10-15-Trickbot-binary-gtag-tot332.exe   (316,547 bytes)
• VsCard/settings.ini   (40,400 bytes)
• VsCard/Data/importDll64   (8,952,080 bytes)
• VsCard/Data/injectDll64   (1,930,192 bytes)
• VsCard/Data/injectDll64_configs/dinj   (70,416 bytes)
• VsCard/Data/injectDll64_configs/dpost   (880 bytes)
• VsCard/Data/injectDll64_configs/sinj   (58,928 bytes)
• VsCard/Data/mailsearcher64   (27,824 bytes)
• VsCard/Data/mailsearcher64_configs/mailconf   (240 bytes)
• VsCard/Data/networkDll64   (22,704 bytes)
• VsCard/Data/networkDll64_configs/dpost   (880 bytes)
• VsCard/Data/shareDll64   (45,280 bytes)
• VsCard/Data/systeminfo64   (87,728 bytes)
• VsCard/Data/wormDll64   (59,680 bytes)

 

NOTES:

• Some of the radiance.png/table.png/worming.png Trickbot binaries from 185.251.39.223 are acting different today than previously.
• No more FAQ and README.md files in the directory holding the Trickbot modules.
• Instead, there is a settings.ini file, and it's very obfuscated.
• Confirmed with @hasherezade on Twitter there are changes in the way Trickbot modules are now encoded.
• Additionally, and IP address check from the infected host now occurs every 10 minutes (previously, it only happend again several hours after the initial infection).

 

IMAGES

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Trickbot malware binary persistent on the infected host.

 

Shown above:  The new "settings.ini" file with all its obfuscation.

 

Shown above:  Trickbot modules seen today.

 

Click here to return to the main page.