Skip to main content

A Module-Based Malware Spread by Word Document



As a module-based malware, Trickbot a malware family previously captured by FortiGuard Labs and afterward analyzed in 2016. It can broaden its functionalities by downloading new modules from its C&C server and executing them on its victim's device. 

While it was at first recognized as banking Trojan, it has progressively extended out its functionalities to gather credentials from its victims' email accounts, browsers, installed network applications and so on. It is likewise able to send spam to its victim's email contacts, just as deliver other malware to the victim's device, like Emotet. As of late, FortiGuard Labs captured an MS Office Word sample in the wild that is spreading another variation of TrickBot. 

This is how by which it chips away at the victim's machine. At the point when the malevolent Word document is opened with MS Office Word, it requests input, by requesting that the victim click the "Enable Content" button to empower the document's Macro feature. When this is done, its malicious Macro (VBA code) is executed. By going to the Menu "Developer"- > "Visual Basic" we can look at the Macro's VBA modules and code. 

The Macro project is password-protected, so one can't see any of the detailed data until the right password is provided. Luckily, there is an approach to sidestep this protection by changing its binary file. On the form, there is a Label control containing the malignant JS code, sketched out with a red rectangle. One of the VBA modules has an autorun() function which is called consequently when the Word doc opens. The VBA code at that point separates two files onto the victim's framework. 

 One document is "C:\AprilReport\LogsTsg\LogsTsg7\LogsTsg8\List1.bat", with content "cscript/nologo C:\AprilReport\List1.jse", and the other is "C:\AprilReport\List1.jse", with JavaScript code from the label control, which is a tremendously jumbled JavaScript code. At that point, it begins the first extricated file "List1.bat", which calls "script" running the huge JavaScript document "List1.jse". The JavaScript code is heavily muddled. This secures the API function calls and consistent strings from being distinguished. They additionally utilize tons of unknown functions also.

At the point when the code starts, it first waits around for a minute to sidestep any auto-analysis devices by appearing to be dormant. After waiting, it then proceeds with the command "Select * from Win32_Process" to acquire every running procedure. It at that point puts the entirety of the names of these acquired procedures together and verifies whether its length is less than 3100. 

Provided that this is true, it will raise an exception and close. For the most part, on a real computer, this length is bigger than 3100. As of now, it’s better ready to sidestep numerous auto-analysis systems, including Sandboxes and Virtual Machines. 

For the solution for this issue, Fortinet customers are already said to have been shielded from this TrickBot variation by FortiGuard's web filtering, Antivirus, and IPS benefits as follows: The downloading URL is appraised as "Malicious Websites" by the FortiGuard Web Filtering service. The Word doc and downloaded Dll record are distinguished as "VBA/TrickBot.MRVB!tr" and
"W32/TrickBot.EFDC!tr" and further blocked by the FortiGuard AntiVirus administration. 

The IP locations of the C&C server are identified and then blocked by the FortiGuard IPS signature "Trojan.TrickBot".


source https://www.ehackingnews.com/2020/03/a-module-based-malware-spread-by-word.html
Labels:

Comments

Post a Comment

Popular posts from this blog

Provider Volia reported to the cyber police about the intense cyberattacks on the server

Cable provider Volia appealed to the Cyber Police on the fact of fixing a DDoS attack on the Kharkov servers of the company, which has been ongoing since May 31. "For three days, from May 31 to today, the Volia infrastructure in Kharkov is subjected to cyberattacks. At first, they were carried out only on subscriber subsystems, later they switched to telecommunications infrastructure. As a result, more than 100,000 subscribers experienced problems using the Internet, IPTV, multi-screen platform, and digital TV," said the company. In total, the complete lack of access to Volia's services, according to the provider, lasted 12 minutes on May 31, 45 minutes on June 1. There was also an attack on the website volia.com, but it was managed to neutralize. "DDoS attacks were massive and well-organized. The type of attack is UDP flood and channel capacity overflow with the traffic of more than 200 GB. UDP is a protocol used for online streaming services - streaming, te...
Post a Comment
Read more

Betting and Gambling Websites under Cyberattack from Chinese Hackers

Since last year's summers, Chinese hackers have been targeting South Asian companies that own online gambling and betting websites. The gambling companies in South Asia have confirmed the hacks, whereas rumors of cyberattacks on betting websites have also emerged from Europe, and the Middle East, however, the rumors are yet to confirm, says the reports of cybersecurity group Trend Micro and Talent-Jump. Cybersecurity experts claim that no money was stolen in these hacks against the gambling websites. However, hackers have stolen source codes and databases. The motive of the attack was not a cybercrime, but rather espionage intended attack to gain intelligence. According to the experts, a group named ' DRBControl ' is responsible for the cyberattack. According to the reports of Trend Micro, the hacking techniques used in this particular cyberattack incident is similar to methods done by Emissary Panda and Winnti. All of these hacking groups are from China that has launc...
5 comments
Read more

Apple Plans to Expand Cloud-Based Services, Enters Cloud Computing Space

Apple is planning to invest more in streamlines and increasing its cloud-based and software services like iCloud, Newsplus, and Apple Music. The expansion will go along with devices like iPads, MacBooks, and iPhones. To be entirely sure about the reliability of the cloud-based service on all the Apple devices, the company has decided to rely on AWS (Amazon Web Services) and the cloud division. AWS, as you might know, is a subunit of Amazon that offers cloud-space solutions. According to CNBC's findings, Apple is said to pay Amazon $30 Million monthly for its cloud-based services. It also means that Apple is one of the biggest customers of AWS. Nevertheless, Apple hasn't confirmed whether it uses Amazon's cloud services besides its iCloud. According to experts, Apple also has some of its cloud services on Google. Amazon transformed the management of the data center and hosting of the applications when it brought the AWS. Being the first one to offer services like these,...
Post a Comment
Read more