Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz
Rewterz Threat Advisory – Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
August 7, 2019
Rewterz
Rewterz Threat Advisory – CVE 2019-1125 – SWAPGS Spectre Side-Channel Vulnerability
August 8, 2019

Rewterz Threat Alert – Latest Trickbot Campaign Delivered via Highly Obfuscated JS File

Severity

Medium

Analysis Summary

Trickbot banking trojan activity and recently discovered variant of the malware (TrojanSpy.Win32.TRICKBOT.TIGOCDC) from distributed spam emails that contain a Microsoft Word document with enabled macro. Once the document is clicked, it drops a heavily obfuscated JS file (JavaScript) that downloads Trickbot as its payload. This malware also checks for the number of running processes in the affected machine; if it detects that it’s in an environment with limited processes, the malware will not proceed with its routine as it assumes that it is running in a virtual environment.

Aside from its information theft capabilities, it also deletes files located in removable and network drives that have particular extensions, after which the files are replaced with a copy of the malware., this Trickbot campaign has affected the United States the most. It has also distributed spam to China, Canada, and India.

Figure 1. Infection chain

The distributed Word document presents the user with the following notification that states the content can be viewed by enabling macro content. It’s worth noting that the document hides the JS script in the document itself and not in the macro. It does this by disguising the script through the same font color as the document background.

Figure 2. Document asking users to enable macro

The script is obfuscated and contains different functions. In order to decrypt a function, it will use another function that will convert it to a single character.

Figure 3. Function for decryption

Upon successfully deobfuscating the file, we were able to analyze it and observed some interesting behaviors. Upon execution, it will display a fake Microsoft error to trick the user with an error message that pops up after enabling the macro. But actually, the JS file is already running in the background.

Figure 4. Fake Microsoft error

Impact

  • Information theft
  • Exposure of sensitive information

Indicators of Compromise

URLs

hxxps[:]//185[.]159[.]82[.]15/hollyhole/c644[.]php


Malware Hash (MD5/SHA1/SH256)

  • 0242ebb681eb1b3dbaa751320dea56e31c5e52c8324a7de125a8144cc5270698
  • 16429e95922c9521f7a40fa8f4c866444a060122448b243444dd2358a96a344c
  • 666515eec773e200663fbd5fcad7109e9b97be11a83b41b8a4d73b7f5c8815ff
  • 41cd7fec5eaad44d2dba028164b9b9e2d1c6ea9d035679651b3b344542c40d45
  • 970b135b4c47c12f97bc3d3bbdf325f391b499d03fe19ac9313bcace3a1450d2
  • 8537d74885aed5cab758607e253a60433ef6410fd9b9b1c571ddabe6304bb68a
  • 970b135b4c47c12f97bc3d3bbdf325f391b499d03fe19ac9313bcace3a1450d2

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.