March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – IcedID Used Steganography to Hide Payload
December 10, 2019Rewterz Threat Advisory – CVE-2019-1458 – New Windows 0-Day Exploited in Active Attack
December 11, 2019Rewterz Threat Alert – IcedID Used Steganography to Hide Payload
December 10, 2019Rewterz Threat Advisory – CVE-2019-1458 – New Windows 0-Day Exploited in Active Attack
December 11, 2019
Severity
Medium
Analysis Summary
Trickbot is a well-known, modular credential stealer first discovered in 2016. It has been thought to be a descendent of another well-known credential stealer called Dyreza, or Dyre, due to similarities in functionalities and codebase. Due to its modularity, operators of Trickbot are able to gain access to different functions and capabilities by retrieving additional modules from the command and control (C2) servers. These include capabilities such as a worming function (i.e. copying itself to other devices), email inbox parser, and network reconnaissance.
Attack Details
The emails sent by the attackers appeared to originate from individuals at .edu email addresses which were likely compromised by the adversary. They then used SendGrid’s EDS to distribute the actual emails. This would have increased their likelihood of bypassing email filters, as it is a popular service used by organizations around the world.
Once the victim clicks on the links, they are redirected to a Google Doc document which has a link to a file hosted on Google Drive. This file is a simple downloader which has a single function of retrieving the Trickbot payload then executing it on the victim host.
Impact
Credential theft
Indicators of Compromise
Email Subject
- “Re: annual bonus document is ready”
- “Re: annual bonus form for ”
- “RE: Payroll notification”
- “RE: Payroll notification”
SHA-256
- 7d6ff8baebedba414c9f15060f0a8470965369cbc1088e9f21e2b5289b42a747
- b8c2329906b4712caa0f8ca7941553b3ed6da1cd1f5cb70f1409df5bc1f0ee4a
- dc8f259fb55a330d1a8e51d913404651b8d785d4ae8c9c655c57b4efbfe71a64
- b3d2e7158620ece90fbc062892db55bf564c6154eb85facab57a459e3bd1156f
- d1e0902fd1e8b3951e2aec057a938db9eebe4a0efa573343d89703482cafb2d8
- 24e3fa3fb1df9bd70071e5b957d180cd51bcf10bab690fa7db7425ca6652c47c
- e9fd22631de9c918ac834eb14e01c76aa4d33069c7622daafcd03b4f1574aad0
- f8aaf313cc213258c6976cd55c8c0d048f61b0f3b196d768fbf51779786b6ac6
URL
- http://lindaspryinteriordesign.com/supp.php
- http://savute.in/supp.php
- http://clementeolmos.com/supp.php
- http://maisonmarielouise.org/supp.php
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.