Rewterz Threat Alert – Phishing Campaigns Spoofing Pakistani Banks

May 21, 2019

Rewterz Threat Advisory – Multiple Vulnerabilities in Mozilla Firefox

May 22, 2019

Rewterz Threat Alert – Trickbot Banking Trojan Arrival via Redirection URL

May 22, 2019

Severity

Medium

Analysis Summary

A new variant of trickbot banking trojan discovered as (TrojanSpy.Win32.TRICKBOT.THDEAI) using a redirection url as a spam. In this particular case, the variant used Google to redirect from the URL hxxps://google[.]dm:443/url?q=, whereby the URL in the query string, url?q=, is the malicious URL that the user is redirected to. The redirection URL is a way to sidestep spam filters that may block Trickbot at the onset.

At first glance, the spam email could pass as legitimate, even adding social media icons for good measure. The content indicates a processed order that is ready for shipping. The mail then goes into detail with the freight number for the package, delivery disclaimer, and contact details of the seller. The cybercriminals used the Google redirection URL in the email to trick unwitting users and deflect from the hyperlinks’ actual intention. Moreover, since the URL is from a known site, it lends some air of authenticity to the email and redirection.

Figure 1. Sample spam email with redirection URL

The URL in the email is used to redirect the user from Google to a Trickbot download site. The browser will show a redirection notice stating that the user will be sent to a link with “order review” in it.

Figure 3. Malicious site purported to be an order review

However, the site will download a .zip file that contains a Visual Basic Script (VBS), which is the Trickbot downloader. Once executed, Trickbot then performs its malicious routines. Due to its modular structure, Trickbot can quickly deploy new capabilities depending on the modules that it downloads and installs. The modules that it uses have distinct functions that can be easily swapped, enabling customized attacks.

Indicators of Compromise

URLs

http[:]//mastelecomusa[.]com/2019/05/02/order-review/

Malware Hash (MD5/SHA1/SH256)

fe89e399b749ee9fb04ea5801a99a250560ad1a4112bbf6ef429e8e7874921f2
f82d0b87a38792e4572b15fab574c7bf95491bf7c073124530f05cc704c1ee96
ce46ce023e01d2afa2569962e3c0daa61f825eaa1fb5121e982f36f54bb6ab53
c560cca7e368ba23a5e48897e2f89ed1eb2e5918a3db0b94a244734b11a009c6
be201f8a0ba71b7ca14027d62ff0e1c4fd2b00caf135ab2b048fa9c3529f98c8
a02593229c8e75c4bfc6983132e2250f3925786224d469cf881dbc37663c355e
7f55daf593aab125cfc124a1aeeb50c78841cc2e91c8fbe6118eeae45c94549e
7daa04b93afff93bb2ffe588a557089fad731cac7af11b07a281a2ae847536d5
55f74affe702420ab9e63469d2b6b47374f863fe06ef2fffef7045fb5cbb1079
312dec124076289d8941797ccd2652a9a0e193bba8982f9f1f9bdd31e7388c66

Remediation

Block all the threat indicators at your respective controls
Always be suspicious about emails sent by unknown senders
Never click on the links/attachments sent by unknown or unverified users.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, the Middle East, and Africa – Active IOCs

Strela Stealer Malware Targets Microsoft Outlook Users for Credential Theft – Active IOCs

EncryptHub: A Multi-Stage Malware Breach Impacting 600 Organizations – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us