Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2017 > July > 18

In the early weeks of July 2017, the Necurs botnet supported a large malspam campaign delivering TRICKBOT via macro-enabled MS Word documents.  While multiple documents were noted in Virus Total submissions, Lloyds Bank was specifically used/mentioned within one decoy document entitled "Protected.doc".

 

 

 

These documents all contain macros with malicious VB Scripting that maxes out scoring in RSA's pre-release WhatsThisFile.net, as shown below.  Note the three findings of interest: "Document Contains VBA Code", "VBA Code Contains Auto-Launch Scripts", and "VBA Code Contains Reference to Launching EXEs".  These are all bad things...

 

 

Upon opening, the attachment downloads a PNG file that is actually an executable; this is the TRICKBOT payload.  In several instances, we observed multiple download domains involved with this delivery.  In the case below, the first download domain (rbsbuilding[.]co[.]uk) fails with a 404 and a second download domain, ccbenelux[.]nl, successfully delivers our payload, baglosnot32tritony.png.

 

 

Post infection, we did not observe TRICKBOT Command and Control (C2) in our own sandbox detonations (probably due to a delay prior to the begin of periodic 3 minute beaconing).  However, we did note probable C2 check-in behavior in related Virus Total PCAPs, specifically TCP SYNs out to a number of known related IP addresses.  

 

 

 

This beaconing was also easily observed in NetWitess Endpoint (aka ECAT), where a telling screen shot shows "butrz.exe" creating a suspect "svchost" process every 3 minutes.

 

 

ECAT also flags a number of IOCs that warrant concern.

 

 

With regard to the packet detection of TRICKBOT, NetWitness meta data clearly identifies behavior indicative of malicious activity.  Specifically, our macro-enabled MS Word document produces meta for session.analysis of "first carve not dns", service.analysis of "http no user-agent" and "http no referrer", file.analysis of "exe filetype but not exe extension".  This are all strong indicators that something malicious is going down.

 

 

As referenced in the opening, this activity appears to be part of a larger ongoing TRICKBOT campaign; below is some related activity we have observed thus far in the month of July.

 

 

All related IOCs have been pushed to the FirstWatch_C2_Domains and FirstWatch_C2_IPs feeds and are available to customers via RSA Live.  Thanks to Ahmed Sonbol, Christopher Ahearn and Prakhar Pandey for their assistance with this analysis.

 

 

Thanks for the banner picture @Vitali Kremez (@VK_Intel) | Twitter.

Despite increasing investments in security, breaches are still occurring at an alarming rate. Whether the result of cyber criminals sending phishing or malware attacks through company emails, nation states targeting organization’s IP, or insiders misusing sensitive data, we live in a world where prevention of breaches has become impossible. Given the speed at which cyber criminals are able to create new security threats, companies must change their approach to security.  It is time for the centerpiece of our security operation to evolve – for SIEM to finally deliver what it has promised for decades.

 

We are thrilled to announce, that is exactly what we are delivering. We’ve redefined modern security operations with a new kind of SIEM: the RSA NetWitness® Suite. 

 

Of course, we have all the traditional SIEM requirements like compliance; but it is built to be laser focused on security – to rapidly detect and respond to today’s known and unknown threats – before they do damage.

 

The latest release of the RSA NetWitness Suite delivers end to end visibility across the organization – from logs, network, endpoints and threat intelligence - in a brand new, highly intuitive and blazing fast user interface. The new user interface was designed from the ground up after 100s of hours of security analyst interviewing and testing. The new Respond and Investigate workflows make it easy for security analysts to triage information rapidly because they have all the information they need in one screen - and will make threat hunters even more impactful by providing them insights and drills into all the data, business context and threat intelligence they need. From novice to hunter – these workflows will make any security analyst better at defending their networks. 

 

                                                                                 RESPOND: Interactive Nodal

We continue to focus on improving the efficiency and effectiveness of security analysts of all levels, by providing out of the box machine learning and behavior analytics for alerting and detection and by prioritizing the most important incidents based on business risk – from identity and asset criticality data. The new RSA NetWitness Suite is a force multiplier for security analysts and incident responders.

 

Ultimately, the RSA NetWitness Suite enables analysts to detect and investigate the full scope of an attack and more rapidly respond to those threats that matter the most to an organization.

 

You need to see it for yourself. You can learn more by visiting: www.rsa.com/DoMore

Filter Blog

By date: By tag: