There are still using this new version of the Trickbot delivery system where Bitsadmin is used to download the payload in small sections to a victims computer where it is all joined together to make 1 file.
This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “RE: Tax verification documents ” pretends to come from Paychex but actually comes from “J.Clark@paychex.email” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they are using macro enabled Word Doc files.
These are primarily aimed at US recipients. It is currently the “Tax Season” in the USA with just over 1 month to go before all the Tax Returns must be submitted. We can all expect to see lots more Tax related scams & malware over the next couple of months.
Paychex has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like the genuine Company, Bank, Government Department or message sending service. Normally there is only one newly registered domain that imitates a well known Company, Government Department, Bank or other organisation that can easily be confused with the genuine body or website in some way. These are hosted on & send the emails from 3 or 4 different servers. Some days however we do see dozens or even hundreds of fake domains.
Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules we cannot easily find the registrants name or any further details.
- paychex.email hosted on & sending emails via 188.8.131.52 | 184.108.40.206 | 220.127.116.11 | 18.104.22.168 |
You can now submit suspicious sites, emails and files via our Submissions system
From: Jeff Clark – Paychex <J.Clark@paychex.email>
Date: Thu 07/03/2019 19:29
Subject: RE: Tax verification documents
As requested, I have attached the details for your consideration.
Major Client Service Representative
Toll Free: 800-943-3875 x 5123247
100 East Hines Hill Road
Hudson, Ohio 44236
How are we doing? Let my manager know!
Payroll Supervisor: Kert Kertesz | 330-342-0530 ext 23272 | firstname.lastname@example.org
There are lots of changes to the Trickbot delivery system this week and possibly the payloads and configs. As usual it starts with a Macro enabled Word doc attached to the email.
This is where it starts to be quite different to olderTrickbot campaigns & delivery methods. Firstly the macro fires off on open & close. The macro drops several .bat files ( Yahhop*.bat, where * is 1-4 ) into user\temp that contain all the instructions to download & run the malware payload. It then copies the system bitsadmin.exe from windows system folder to user/temp folder under a different name, G$7kB}0.exe ( this is done because several security tools or company settings try to block the system bitsadmin from running to try to prevent silent malware downloads) & runs that to call out to one of the sites, initially http://yasgold.com/za.ebali where it downloaded a very small .exe file and multiple other binary files, 8 different pieces altogether which are then combined together to create the Trickbot payload. But a direct call to the urls in question, not using bitsadmin will give the full binary. The final bat file then deletes all the bat files and the copied & renamed bitsadmin.exe to try to hide itself.
http://yasgold.com/za.ebali which is a renamed .exe file VirusTotal | Gtag Ser 0307us
The alternate Download location is http://mitreart.com/za.ebali
The folder for the files & configs is: C:\Users\[User]\AppData\Roaming\wnetwork
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.
Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.
The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.
Main object- “Verification_Documents.doc”
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\G$7kB}0.exe 2990813e869a0a5c7706938a8136bca09046623a8225b24b54f76ac4126efbb0
sha256 C:\Users\admin\AppData\Roaming\wnetwork\ebamj.exe da252efc670493820e953a0472959d21ca2dd85b2d4ed25b693d1ced25a02fbd
sha256 C:\Users\admin\AppData\Roaming\wnetwork\log_install.tmp 7fa3616b8e13f858146037833cb64c1b062927528d6d3a6b46321ac3d4a6c50b
Email from: J.Clark@paychex.email