{
	"id": "41bfc2dc-2a7c-449a-a4c3-d7d581110678",
	"created_at": "2026-04-06T00:13:44.768585Z",
	"updated_at": "2026-04-10T03:21:31.718805Z",
	"deleted_at": null,
	"sha1_hash": "2cfd16c473b4cc2b2470b25db31729d8fb7ffdb7",
	"title": "Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks | HP Wolf Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1982380,
	"plain_text": "Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks | HP Wolf Security\r\nBy Alex Holland\r\nPublished: 2020-10-08 · Archived: 2026-04-05 16:51:13 UTC\r\nIntroduction\r\nOne of the doctrines of forensic science is Locard’s exchange principle that every action taken by the perpetrator of a\r\ncrime leaves a trace.[1] Through the process of carefully collecting and interpreting these traces, an investigator can\r\ncharacterise what happened and form hypotheses about other aspects of the crime, such as the capabilities of the\r\nperpetrator. This idea holds for digital forensic investigations just as much as it does in a physical crime scene.\r\nCybercrimes involving malware require threat actors to use defence evasion techniques to circumvent security\r\ncontrols in the target’s network to achieve their objectives.[2] The good news for network defenders is that these\r\ntechniques often involve manipulating files, which leave traces or “toolmarks” that can be used as signs of malicious\r\nintent or to track specific threat actors.[3] In this article, we describe how a stealthy TrickBot campaign in September\r\n2020 masquerading as COVID-19 alerts and invoices evaded detection by encrypting, modifying and embedding\r\npayloads in files.\r\nBackground\r\nTrickBot Operators Toy with Droppers, July 2020\r\nIn July 2020, we saw an unusual spam campaign delivering TrickBot banking malware. The configuration data used\r\nby every TrickBot binary contains an identifier called a gtag, which represents the campaign or distribution method\r\nused to deliver the malware.[4] In that campaign, TrickBot executables using the gtag “end4” were embedded in\r\nMicrosoft Word document attachments.[5] This differed from the delivery mechanism usually favoured by TrickBot’s\r\noperators, where a downloader retrieves and executes the payload from a remote server. Over the last two years,\r\nwe’ve seen variations of this, commonly involving obfuscated Visual Basic for Applications (VBA) macros. TrickBot\r\nhas also been delivered using Ostap, a JScript downloader, and through systems that have been infected with Emotet.\r\n[6]\r\nFirst seen in 2014, TrickBot is a modular banking Trojan thought to be operated from Russia.[7] It has extensive\r\ncapabilities for making fraudulent transactions through web injections and stealing banking credentials. However,\r\nsince June 2019 it has also been used as a platform to distribute post-exploitation tools and Ryuk ransomware,\r\nparticularly against large enterprises.[8]\r\nWhy Attackers Choose Droppers\r\nDroppers offer several benefits to attackers over downloaders, which may be factors why we are seeing an increase in\r\ntheir use.\r\nNo need to host malware externally\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 1 of 13\n\nSince the payload is embedded in a file, there is no need to host it externally. This saves the time and cost associated\r\nwith obtaining and managing web infrastructure for hosting the payloads. Attackers don’t need to purchase web\r\nservers from bulletproof hosting providers or compromise legitimate web servers.\r\nReduces detection exposure\r\nEmbedding the payload in a document also reduces the chance of the malware being detected by security controls that\r\ninspect network traffic for malicious activity, such as web proxies and network intrusion detection or prevention\r\nsystems. This places extra reliance on email gateways to block malicious attachments. These controls tend to be less\r\neffective at blocking command and control (C2) traffic, especially where C2 servers are rotated regularly, as is the\r\ncase with TrickBot. Web servers used for hosting malware tend to be active for longer periods of time, which means\r\nthey are more likely to be blocked.\r\nImmune to takedowns\r\nDroppers cannot be taken down by network defenders. With downloaders, the web servers used to host the payloads\r\nare vulnerable to takedown action through abuse reports to hosting providers and domain registrars. Takedowns are\r\nparticularly effective at disrupting the operations of threat actors with small hosting infrastructures. Large hosting\r\ninfrastructures tend to be more resilient to takedowns. This becomes clear if we examine a malware distribution\r\nnetwork using network analysis, a way of analysing entities (in this case, web servers, downloaders and payloads)\r\nthat shows the type of relationship that exists between them.[9]\r\nIf a threat actor only has a few web servers, the number of ties each hosting node will have to the downloaders used\r\nin a campaign will be high. This would mean that each node used for hosting has high degree centrality in the\r\ndistribution network. These web servers represent “choke points” that would severely limit the distribution of the\r\nmalware if they were taken offline. Conversely, a distribution network consisting of many web servers is more\r\nresilient to takedowns because each hosting node has fewer ties. Therefore, an attacker might decide to use droppers\r\ninstead of downloaders if they lack hosting capacity.\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 2 of 13\n\nFigure 1 – A TrickBot campaign from July-August 2019 that used Ostap as a downloader. Removing the two yellow\r\nnodes with the most edges would significantly reduce the number of infections.\r\nDenies defenders network artefacts\r\nDroppers also deny defenders network indicators of compromise (IOCs) associated with the initial download and\r\nexecution of the malware. Web server configurations, DNS and WHOIS records and other network artefacts are a\r\nvaluable source of information for tracking the activities of threat groups over time and across campaigns.\r\nDropper Disadvantages\r\nWorse targeting and operational security (OPSEC)\r\nOne area where downloaders are better than droppers is OPSEC. Downloaders allow threat actors to choose targets\r\nselectively based on their IP address (geofencing), user agent and other client information exposed to the web server\r\nhosting the malware. They also enable attackers to switch payloads in and out at will, reducing the window of\r\nopportunity for researchers and defenders to download and analyse the malware. However, these OPSEC benefits are\r\ngenerally considered less important to operators of massively deployed malware families, such as TrickBot.\r\nTrickBot Malspam Campaign, September 2020\r\nCOVID-19 and Invoice Lures\r\nStarting on 16 September 2020, we detected a high-volume TrickBot spam campaign that used the gtag “ono76”,\r\nwhere the Trojan was embedded in hundreds of encrypted DOCM attachments masquerading as COVID-19 alerts and\r\ninvoices.\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 3 of 13\n\nFigure 2 – Fake invoice lure used in the TrickBot campaign from September 2020.\r\nLow Detection Rates\r\nUnlike the documents used in the July campaign that had relatively high detection rates (30/61) on VirusTotal,[5] the\r\nfiles in this campaign were more effective at evading detection. 70% of the samples were detected by four or fewer\r\nscanning engines, and several files received zero detections (Figures 3 and 4).\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 4 of 13\n\nFigure 3 – A TrickBot sample that evaded detection, September 2020.\r\nFigure 4 – Low detection rates of TrickBot samples, September 2020.\r\nTrickBot Dropper Toolmarks\r\nDocument encryption\r\nThese low detection rates were primarily caused by the documents being encrypted using Microsoft Word’s “Encrypt\r\nwith Password” feature. In this case, the documents’ content and extended metadata were encrypted using AES in\r\nCBC mode with a 256-bit key. The emails containing the malicious attachments referenced the password so that\r\nrecipients would be able to decrypt and open the documents. The most common passwords we found in this campaign\r\nwere five characters long (e.g. “DLW16”), matching the regular expression [A-Z]{3}\\d{2}. Without the password,\r\nstatic and behavioural engines are unable to inspect the contents of the files. This technique also slows down\r\ninvestigations if the document password is not known.\r\nOne of the side effects of encrypting a DOCM file using Word’s built-in encryption feature is that tools like file and\r\nexiftool will fail to parse the document’s metadata fully. For example, here’s the output of the file command for one of\r\nthe documents from this campaign:\r\nCDF V2 Document, corrupt: Cannot read summary info\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 5 of 13\n\nWhen combined with VirusTotal’s “magic” file search modifier, this output becomes a useful way of identifying\r\nencrypted Office documents.[10] For example:\r\nmagic:\"CDF V2 Document, corrupt: Cannot read summary info\"\r\nSimilarly, exiftool normally parses extensive document metadata, such as its creation date, creator and information\r\nabout the version and locale of Microsoft Office used. Since the droppers in this campaign stored a long VBScript in\r\nthe body of the documents (Figure 6), the very high word count (\u003e10,000) usually would be shown by exiftool.\r\nHowever, this metadata is inaccessible because of the encryption. Therefore, the limited output from exiftool can be\r\nused as a sign of encryption or that metadata has been removed, which may prompt an analyst to investigate further.\r\nUnusual byte modifications\r\nWe often see threat actors create a handful of malicious documents as templates and then programmatically modify\r\nthem without changing the payload or download logic.[11][12]  These slight modifications are typically done to\r\nevade hash-based detection since each document will generate a unique hash value as a result of the change. In this\r\ncampaign, we found over 400 documents that were identical except for two bytes that had been modified with the\r\nfollowing values:\r\nOriginal Value New Value\r\n0xFFFF 0x9090\r\n0xFFFF 0x1010\r\n0xFFFF 0xE2E2\r\n0xFFFF 0x1717\r\nUsing these file artefacts, we were able to write a YARA rule to detect TrickBot dropper documents distributed in this\r\ncampaign with high confidence, even though the contents of the files were encrypted.\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 6 of 13\n\nFigure 5 – A toolmark left in a TrickBot dropper document from September 2020. Two bytes in the bottom document\r\nwere modified with 0xE2E2.\r\nExecution Chain\r\nAll the documents contained an AutoOpen macro that copies a VBScript stored behind the lure image, which is then\r\nwritten to a file in C:\\ProgramData with a .VBE (VBScript Encoded File) file extension.\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 7 of 13\n\nFigure 6 – VBScript containing an encoded TrickBot payload hidden behind the lure image, September 2020.\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 8 of 13\n\nFigure 7 – VBE file dropped to C:\\ProgramData.\r\nWe identified two ways that the VBA macro executes the TrickBot DLL payload. In the first method, the macro\r\ncreates and runs a scheduled task named “Windows Defender” with the start time set to the system date and time\r\nreturned by VBA’s Second, Minute, Hour, Day, Month and Year functions. The trigger event runs the VBE file using\r\nWScript.exe (Windows Script Host), the default VBE file handler. The other variant creates a WshShell object to run\r\nthe VBE file, which also opens it with WScript.exe.\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 9 of 13\n\nFigure 8 – Execution of the dropped VBE file using a scheduled task.\r\nFigure 9 – Execution of the dropped VBE file using a WshShell object.\r\nThe VBE file contains junk code and the TrickBot payload, stored either as hexadecimal values (Figure 10) or Base64\r\nencoded. The script creates a directory in C: and then writes the payload there with a .DLL extension.\r\nFigure 10 – TrickBot payload stored as hexadecimal values in the dropped VBE file.\r\nFinally, the script runs certutil to decode the payload and then executes using regsvr32.exe (Figure 11).\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 10 of 13\n\nFigure 11 – Behavioural trace in HP Sure Click Enterprise showing regsvr32.exe executing a TrickBot payload\r\n(APSLVDFB.dll).\r\nConclusion\r\nThreat actors are continually experimenting with ways to improve their chances of successfully compromising\r\nsystems. These include using droppers instead of downloaders, especially if they possess small hosting infrastructures\r\nthat are vulnerable to takedowns; encryption to evade static and behavioural analysis; and modifying files to avoid\r\nhash lookups. However, these anti-analysis measures leave artefacts that network defenders can identify and use to\r\nbuild detection logic to track malware campaigns, even stealthy ones such as the TrickBot campaign we saw in\r\nSeptember 2020.\r\nIndicators of Compromise\r\nSHA-256 Hash Context\r\n7FEE0F3ADB6BB5A3ED22AD960709A87893E2512D099F6C8C39946097D9A4122B\r\nFDFB6706E3F056404DA1928A1A8DC3BCE4AB4B8473F49E1C246B4AB2EDC69AD4\r\n052C9196DFE764F1FBD3850D706D10601235DC266D1151C93D34454A12206C28\r\nTrickBot payload\r\nDLL using gtag\r\n“ono76”\r\nYARA Rule\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 11 of 13\n\nrule trickbot_maldoc_embedded_dll_september_2020 {\r\n meta:\r\n  author = \"HP-Bromium Threat Research\"\r\n  date = \"2020-10-03\"\r\n  sharing = \"TLP:WHITE\"\r\n  strings:\r\n  $magic = { D0 CF 11 E0 A1 B1 1A E1 }\r\n  $s1 = \"EncryptedPackage\" wide\r\n  $s2 = \"{FF9A3F03-56EF-4613-BDD5-5A41C1D07246}\" wide\r\n $s3 = { FF FF FF FF FF FF FF FF FF FF ( 90 90 | 10 10 | E2 E2 | 17 17 ) FF FF FF FF FF FF FF FF\r\n  condition:\r\n  $magic at 0 and\r\n  all of ($s*) and\r\n  (filesize \u003e 500KB and filesize \u003c 1000KB)\r\n}\r\n Filename Patterns\r\n\\d{4,6}170920\\d{4,6}\\.doc\r\n[A-Z0-9]{2,4}_Inv_[A-Z0-9]{2,4}\\.doc\r\n\\d{6}\\.doc\r\n[A-Z0-9]{8}\\.doc\r\n[a-z]{5,10}\\d{4,5}\\.doc\r\nDocument Passwords\r\nINV15\r\nDLW16\r\nReferences\r\n[1] https://en.wikipedia.org/wiki/Locard%27s_exchange_principle\r\n[2] https://attack.mitre.org/tactics/TA0005/\r\n[3] Harlan Carvey first applied the toolmark analogy to digital forensic investigations.\r\n https://windowsir.blogspot.com/2020/09/toolmarks.html\r\n[4] https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/\r\n[5]\r\nhttps://www.virustotal.com/gui/file/a1795221f72ee3105070f65a31243da63fdc010431ff47c50d065e891851af9a/detection\r\n[6] https://threatresearch.ext.hp.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 12 of 13\n\n[7] ThaiCERT (2020) Threat Group Cards: A Threat Actor Encyclopedia. Available at:\r\nhttps://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf (Accessed: 3 October 2020). p. 428.\r\n[8] https://www.cisecurity.org/white-papers/security-primer-trickbot/\r\n[9] Clark, Robert M. (2020) Intelligence Analysis: A Target-Centric Approach (6th ed.). Thousand Oaks: CQ Press.\r\npp. 354-355.\r\n[10] https://support.virustotal.com/hc/en-us/articles/360001385897-File-search-modifiers\r\n[11] https://threatresearch.ext.hp.com/spot-the-difference-tracking-malware-campaigns-using-visually-similar-images/\r\n[12] https://threatresearch.ext.hp.com/buran-ransomware-targets-german-organisations-through-malicious-spam-campaign/\r\nSource: https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nhttps://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/\r\nPage 13 of 13\n\nTrickBot Malspam COVID-19 and Campaign, Invoice Lures September 2020   \nStarting on 16 September 2020, we detected a high-volume TrickBot spam campaign that used the gtag “ono76”,\nwhere the Trojan was embedded in hundreds of encrypted DOCM attachments masquerading as COVID-19 alerts and\ninvoices.      \n   Page 3 of 13   \n\n  https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/    \nFigure 6-VBScript containing an encoded TrickBot payload hidden behind the lure image, September 2020.\n   Page 8 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/"
	],
	"report_names": [
		"detecting-a-stealthy-trickbot-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434424,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2cfd16c473b4cc2b2470b25db31729d8fb7ffdb7.pdf",
		"text": "https://archive.orkl.eu/2cfd16c473b4cc2b2470b25db31729d8fb7ffdb7.txt",
		"img": "https://archive.orkl.eu/2cfd16c473b4cc2b2470b25db31729d8fb7ffdb7.jpg"
	}
}