Phishing emails carrying TrickBot spyware attack multiple provinces in United States

Sep 11, 2019kate
Learn more about 360 Total Security

Recently, 360 Security Center detected a series of large-scale phishing email attacks against the United States. According to 360 Security Center statistics, several states including California, Maryland, Illinois, New York, Texas, Minnesota, and New Jersey suffered this cyber attack.

The way the attacker delivers phishing emails is: deceiving the victim to open email attachments carrying malicious code, and the final payload is TrickBot spyware. TrickBot is a highly scalable spyware that allows attackers to send out various virus modules through cloud control, including hackers, worms, etc.

Technical Analysis

This cyberattack method is still mainly based on the delivery of phishing emails. The sensitive texts such as “receipt” and “invoice” are used as bait to trick the user into opening the zip file in the email attachment. The zip file contains the two files shown in the following figure:

The content in Attention.txt further induces the user to open the receipt and invoice:

ReceiptandInvoice is only a shortcut to the icon masquerading as an invoice style. At the end of the shortcut file, a VBS script is embedded. When the user opens the shortcut, the code of the target location is executed, and the VBS script is extracted to the %tmp% directory. (qqYEq.vbs) to execute:

qqYEq.vbs has been obfuscated, removing the confusing code as follows, the main function is to download and execute TrickBot spywareTrojan:

TrickBot uses a variety of code obfuscation techniques to hide the real virus precursor, first decrypting the shellcode in the resource and loading:

The part of the shellcode decrypts a deformed PE file, which is the TrickBot parent:

After running, a scheduled task will be created to implement the virus self-start:

TrickBot is very scalable, and virus writers send out various functions of virus modules through cloud control:

Wormdll32 is a worm module that infects workstations or servers that use the SMB protocol and the LDAP protocol. In the case of infected workstations, the code logic is as follows:

Psfin32Dll is used to query the Active Directory Services (ADS) domain through LDAP statements. The types shown in the figure below include POS, REG, CASH, LANE, STORE, RETAIL, BOH, ALOHA, MICROS, TERM, USERS, GROUPS, SITES, OUs. All objects such as strings:

network32Dll is used to collect information about the current network:

Security advice:

(1) Do not open emails of unknown origin. You should submit such emails to the security department for investigation, and then confirm the security before opening.

(2) For unknown security files, do not click the “Enable Macro” button to prevent macro virus intrusion.

(3) Update system patches in time to fix system vulnerabilities.

(4) 360 Total Security can detect and intercept such attacks in time, it is recommended that users go to to install and full check.

Learn more about 360 Total Security