Introduction

Mass-distribution campaigns pushing commonly-seen malware are not often considered newsworthy.  But these campaigns occur on a near-daily basis, and I feel they should be documented as frequently as possible.  Frequent documentation ensures we have publicly-available records that reveal how these campaigns evolve.  Minor changes add up over time.

Today's diary illustrates a small part of my workday, as I review information and track down a campaign using malicious spam (malspam) to distribute Trickbot malware.

Reporting methods

A growing number of people are using social media tools like Twitter to share information about malware and malicious network activity.  Twitter offers a near-real-time way to push information to a large amount of people.  Security professionals and enthusiasts can easily find, share, and act on this information.

Keep in mind this sort of public sharing should never include sensitive data.  You should never reveal your organization's internal network or divulge any classified or confidential documents.  Criminals are likely monitoring public-facing services like VirusTotal and other malware scanning sites, because they "are becoming containers for personal, business and even classified information..."

Some security professionals use private communication methods with a restricted audience, but those methods don't often apply to the vast majority of people working in information security.  When possible, I prefer to share malware information publicly.

Gathering information

Like many researchers, I use a combination of public and non-public resources when investigating malware.  One great public resource is URLhaus.  URLhaus is a project operated by abuse.ch that helps security researchers, vendors and law enforcement agencies make the Internet a safer place.

On Tuesday 2018-11-13, I was browsing through URLhaus and found two URLs tagged as Trickbot.  I've researched a great deal of Trickbot activity, so I knew these URLs could be traced to malspam with an attached Microsoft Office document using macros to download and install Trickbot.

Shown above:  Two URLs tagged as Trickbot according to URLhaus.

I checked my employer's tools, where I found at least 20 examples of malspam using attached Word documents with macros to generate these URLs.  The malspam was very recent, and no samples of the attached Word documents had yet been submitted to VirusTotal.  I could find information and file hashes from my employer's tools, but I could not acquire a Word doc to generate any infection traffic.

However, those two URLs from the URLhaus list were still active, so I used one to retrieve a Trickbot binary.  I then used that binary to infect a Windows host in my lab which generated the expected infection traffic.  Post-infection activity revealed the campaign ID as sat101.  These campaign IDs are tagged as <gtag> in configuration files on infected Windows hosts, and they can be used to determine distribution characteristics of the campaign.  For example, Trickbot using campaign IDs starting with "sat" are used in malspam targeting recipients in the United States.

Shown above:  Tuesday's Trickbot infection traffic filtered in Wireshark.

Quick reporting

With enough information to describe Tuesday's Trickbot campaign in the US, I wanted to quickly report it.  But compiling a blog post would take at least two hours.  Twitter was my speediest alternative.  I dumped the data to a Pastebin page, created some images, and tweeted the results.

Shown above:  The tweet I sent.

Final words

This diary shows a small part of my workday, and it reveals how I found a recent wave of Trickbot malspam.  As of 20:24 UTC on Tuesday 2018-11-13, none of the associated Word documents were available on VirusTotal.  But a sample of the Trickbot binary had been submitted to hybrid-analysis.com.

---
Brad Duncan
brad [at] malware-traffic-analysis.net