[Trend Micro](https://www.trendmicro.com/) [About TrendLabs Security Intelligence Blog](https://blog.trendmicro.com/trendlabs-security-intelligence/about-us/) Search: Go to… [Home](http://blog.trendmicro.com/trendlabs-security-intelligence/) Categories [Home » Malware » Latest Trickbot Campaign Delivered via Highly Obfuscated JS File](https://blog.trendmicro.com/trendlabs-security-intelligence/) # Latest Trickbot Campaign Delivered via Highly Obfuscated JS File [Posted on:August 5, 2019 at 5:03 am](https://blog.trendmicro.com/trendlabs-security-intelligence/2019/08/) [Posted in:Malware, Spam](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/) Author: [Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/) 0 **_by Noel Anthony Llimos and Michael Jhon Ofiaza (Threats Analysts)_** We have been tracking Trickbot banking trojan activity and recently discovered a variant of the malware (detected by Trend Micro as [TrojanSpy.Win32.TRICKBOT.TIGOCDC) from distributed spam emails that](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TrojanSpy.Win32.TRICKBOT.TIGOCDC) contain a Microsoft Word document with enabled macro. Once the document is clicked, it drops a heavily obfuscated JS file (JavaScript) that downloads Trickbot as its payload. This malware also checks for the Go to… ----- environment. Aside from its information theft capabilities, it also deletes files located in removable and network drives that have particular extensions, after which the files are replaced with a copy of the malware. Based on our telemetry, this Trickbot campaign has affected the United States the most. It has also distributed spam to China, Canada, and India. _Figure 1. Infection chain_ In a sample email, the spam purports to be a subscription notification involving advertising providers, even telling the user that it submitted an application for a three-year subscription and settled a sum of money with the sender. The mail then explains that several more fees will be charged to the user’s card in the coming transactions. It ends by prompting the user to see the attached document for all the settlement and subscription information. The document in question contains the malicious script. The distributed Word document presents the user with the following notification (see Figure 2) that states the content can be viewed by enabling macro content. It’s worth noting that the document hides the JS script in the document itself and not in the macro. It does this by disguising the script through the same font color as the document background. ----- _Figure 2. Document asking users to enable macro_ The script is obfuscated and contains different functions. In order to decrypt a function, it will use another function that will convert it to a single character. _Figure 3. Function for decryption_ Upon successfully deobfuscating the file, we were able to analyze it and observed some interesting behaviors. Upon execution, it will display a fake Microsoft error to trick the user with an error message that pops up after enabling the macro. But actually, the JS file is already running in the background. ----- _Figure 4. Fake Microsoft error_ For persistence, the malware creates a copy of itself into the Startup folder as Shell.jse. The JS file also checks for running processes — what’s particularly notable is the malware’s anti-analysis or evasion characteristic, which checks for the total number of all the running processes in the victim’s machine, which means it will not proceed with its execution if there are not enough processes running. If the running processes are under 1,400 characters (length of the string), the malware assumes it to be an indicator that it is running in a virtual or sandbox environment. It will also check for the existence of processes usually used for analysis. Aside from these, the malware inspects if the environment it runs in relates to specific usernames. _Figure 5. A snippet of checked processes and usernames_ _Figure 6. Code error shown if anything matches the check_ ----- AgentSimulator.exe B.exe BehaviorDumper BennyDB.exe ctfmon.exe DFLocker64 FrzState2k gemu – ga.exe iexplore.exe ImmunityDebugger LOGSystem.Agent.Service.exe lordPE.exe ProcessHacker procexp Procmon PROCMON Proxifier.exe tcpdump VBoxService VBoxTray.exe vmtoolsd vmware VzService.exe windanr.exe Wireshark Upon further analysis, we’ve also compiled the usernames the malware checks for based on the following strings: Emily HAPUBWS Hong Lee Johnson milozs Peter Wilson SystemIT | admin VmRemoteGuest WIN7 – TRAPS For the malware’s payload, it will connect to the URL hxxps://185[.]159[.]82[.]15/hollyhole/c644[.]php then checks for the file to be downloaded. If it is an executable file, it will save the file to %Temp% as _{random}.exe and execute it afterwards. If the file is not an executable, it will then save it as {random}.cro in_ the same folder. The .cro file will then be decoded using certutil.exe, saved as {random}.exe in the same directory, and executed. Upon further research, we discovered that the downloaded .exe file is a variant of the Trickbot malware. ----- _Figure 7. The file is saved, random names get generated, and .cro is decoded using certutil.exe_ Aside from stealing system information such as OS, CPU, and memory information; user accounts; installed programs and services; IP configuration; and network information (configuration, users, and domain settings), this Trickbot variant also gathers the following credentials and information from applications and internet browsers. Application credentials Filezilla Microsoft Outlook PuTTy Remote Desktop (RDP) VNC WinSCP Browser credentials and information (Google Chrome, Internet Explorer, Microsoft Edge, and Mozilla Firefox) Autofills Billing info data Browsing history Credit card data HTTP POST responses Internet cookies Usernames and passwords This malware also uses a point-of-sale (PoS) extraction module called psfin32, which identifies PoS-related terms located in the domain of interest. The [module uses LDAP queries to search for PoS information on](https://blog.trendmicro.com/trendlabs-security-intelligence/trickbots-bigger-bag-of-tricks/) machines with the following substrings: *ALOHA* *BOH* *CASH* *LANE* *MICROS* *POS* *REG* *RETAIL* *STORE* *TERM* The variant also appears to drop shadnewdll, a proxy module that intercepts and modifies web traffic on an affected device to create fraudulent bank transactions over the network. Additionally, according to security researcher Brad Duncan, the module [shares similarities with the banking trojan IcedID, which redirects](https://www.bleepingcomputer.com/news/security/trickbot-trojan-gets-icedid-proxy-module-to-steal-banking-info/) victims to fake online banking sites or attaches to a browser process to inject fake content in phishing schemes. In such cases where the malware fails to connect it will search for files with the following extensions in the ----- .xls .pdf .rtf .txt .pub .odt .ods .odp .odm .odc .odb Files with the aforementioned extensions will be saved in the %Temp% folder as ascii.txt. The said files will all then be deleted and replaced with a copy of the malware and the extension .jse (but is actually a JS file). _Figure 8. Scanning for files and replacing it with a copy of itself_ ### Defending Against Trickbot: Trend Micro Recommendations and Solutions Information-stealing malware Trickbot has become a cybercriminal mainstay for infecting machines and compromising emails, and has been used to [reportedly steal more than 250 million accounts. This new](https://www.engadget.com/2019/07/12/trickbot-malware-trickbooster-250-million-email-accounts/) development shows how cybercriminals can constantly tweak an existing banking trojan to add new capabilities. Users, however, can prevent these attacks by simply following [best practices against spam.](https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/infosec-guide-email-threats) Aside from awareness of the telltale signs of a spam email such as suspicious sender address and glaring grammatical errors, we also recommend that users refrain from opening email attachments from unverified sources. Users and enterprises can also benefit from protection that uses a multilayered approach against risks brought by threats like Trickbot. We recommend employing [endpoint application control that reduces attack exposure](http://www.trendmicro.com/us/enterprise/product-security/endpoint-application-control/) by ensuring only files, documents, and updates associated with whitelisted applications and sites can be [installed, downloaded, and viewed. Endpoint solutions powered by](https://www.trendmicro.com/en_us/forHome/products.html) [XGen™ security such as Trend Micro™](http://go.trendmicro.com/sem/sem/www.trendmicro.com/us/business/xgen/index.html) Security and [Trend Micro Network Defense can detect related malicious files and URLs and protect users’](https://www.trendmicro.com/en_us/business/products/network.html?utm_campaign=VURL:www.trendmicro.com&utm_medium=VURL&utm_source=/us/business/cyber-security/index.html) systems. [Trend Micro™ Smart Protection Suites and](https://www.trendmicro.com/us/business/complete-user-protection/index.html) [Trend Micro Worry-Free™ Business Security, which](https://www.trendmicro.com/en_us/small-business/worry-free.html) have [behavior monitoring capabilities, can additionally protect from these types of threats by detecting](https://success.trendmicro.com/solution/1122593-configuring-behavior-monitoring-settings-in-apex-one) malicious files such as the document and JS file involved in this campaign, as well as blocking all related malicious URLs. The [Trend Micro Deep Discovery Inspector protects customers from threats that may lead to C&C](https://www.trendmicro.com/en_us/business/products/network/advanced-threat-protection/inspector.html) connection and data exfiltration via these DDI rules: 1645: Possible Self-Signed SSL certificate detected 2780: TRICKBOT – HTTP (Request) ### Indicators of Compromise (IoCs) **SHA 256** **d URL** **T** **d Mi** **P tt** **T** **d Mi** **N t** ----- 0242ebb681eb1b3dbaa7513 20dea56e31c5e52c8324a7de 125a8144cc5270698 16429e95922c9521f7a40fa8 f4c866444a060122448b243 444dd2358a96a344c 666515eec773e200663fbd5f cad7109e9b97be11a83b41b 8a4d73b7f5c8815ff 41cd7fec5eaad44d2dba0281 64b9b9e2d1c6ea9d0356796 51b3b344542c40d45 970b135b4c47c12f97bc3d3 bbdf325f391b499d03fe19ac 9313bcace3a1450d2 TrojanSpy.Win32. TRICKBOT.TIGOCDC Trojan.W97M. JASCREX.A Trojan.W97M. JASCREX.AB Trojan.W97M. JASCREX.AD TROJ.Win32.TRX. Trickbot XXPE50FFF031 Downloader.VBA. TRX.XXVBAF01F F004 Downloader.VBA. TRX.XXVBAF01F F004 Downloader.VBA. TRX.XXVBAF01F F004 Document file Document file Document file Trojan.W97M. Document file JASCREX.AC 8537d74885aed5cab758607 TrojanSpy.JS. Dropped JS file e253a60433ef6410fd9b9b1c NEMUCOD.BONING (with .dat 571ddabe6304bb68a H extension) 970b135b4c47c12f97bc3d3 bbdf325f391b499d03fe19ac Spam email 9313bcace3a1450d2 hxxps://185[.]159[.]82[.]15/ Malicious URL hollyhole/c644[.]php **_Check Point Research also_** **_[tweeted about this campaign last July.](https://twitter.com/_CPResearch_/status/1151900514612908033)_** ## Related Posts: **[From Fileless Techniques to Using Steganography: Examining Powload’s Evolution](https://blog.trendmicro.com/trendlabs-security-intelligence/from-fileless-techniques-to-using-steganography-examining-powloads-evolution/)** **[Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript,](https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/)** **VBScript, and PowerShell Scripts** **[Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email](https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/)** **Service YOPmail for C&C** Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [banking TrojanJavaScriptJSmacroMicrosoft Word](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/banking-trojan/) ### Featured Stories [systemd Vulnerability Leads to Denial of Service on Linux](https://blog.trendmicro.com/trendlabs-security-intelligence/systemd-vulnerability-leads-to-denial-of-service-on-linux/) [qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/) [Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability](https://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-cve-2017-5689-intel-management-engine-vulnerability/) [A Closer Look at North Korea’s Internet](https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-north-koreas-internet/) [From Cybercrime to Cyberpropaganda](https://blog.trendmicro.com/trendlabs-security-intelligence/from-cybercrime-to-cyberpropaganda/) ### Security Predictions for 2019 ----- Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration. [Read our security predictions for 2019.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2019) ### Business Process Compromise Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, [read our Security 101: Business Process Compromise.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise) ### Recent Posts [Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted](https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-distributed-through-callerspy-mounts-initial-phase-of-a-targeted-attack/) Attack [Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/) [Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps](https://blog.trendmicro.com/trendlabs-security-intelligence/patched-gif-processing-vulnerability-cve-2019-11932-still-afflicts-multiple-mobile-apps/) [Mac Backdoor Linked to Lazarus Targets Korean Users](https://blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users/) [More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting](https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/) ### Popular Posts **[Mac Backdoor Linked to Lazarus Targets Korean Users](https://blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users/)** **[New Magecart Attack Delivered Through Compromised Advertising Supply Chain](https://blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/)** **[Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update](https://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-november-2019-patch-tuesday-reveals-74-patches-before-major-windows-update/)** **[Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger](https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/)** **Wireless Application Protocol (WAP)/Carrier Billing** **[New Exploit Kit Capesand Reuses Old and New Public Exploits and Tools, Blockchain Ruse](https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-capesand-reuses-old-and-new-public-exploits-and-tools-blockchain-ruse/)** ### Stay Updated Email Subscription Your email here [Home and Home Office](http://www.trendmicro.com/us/home/index.html) | [For Business](http://www.trendmicro.com/us/business/index.html) | [Security Intelligence](http://www.trendmicro.com/us/security-intelligence/index.html) | Your email here Subscribe ----- Latin America Region (LAR): [Brasil, México](http://br.trendmicro.com/br/home/index.html) North America Region (NABU): [United States, Canada](http://www.trendmicro.com/us/index.html) Europe, Middle East, & Africa Region (EMEA): [France, Deutschland / Österreich / Schweiz, Italia,](http://www.trendmicro.fr/) [Россия, España, United Kingdom / Ireland](http://www.trendmicro.com.ru/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2019 Trend Micro Incorporated. All rights reserved. -----