Trickbot Gets Trickier by Adding an Encryption Layer
- by nlqip
Figure 4: Dynamically resolving Windows API functions
In conclusion, sometimes changes, even minor ones such as this one, are enough to break a working automation process, and they require some time to investigate. That’s how the malware’s authors gain precious time to defraud unsuspecting victims before security vendors can denylist their servers.
As a reminder, Trickbot consistently uses email spam and phishing campaigns as its initial attack pattern, so it’s imperative that organizations train their users how to recognize potentially faked emails, and not to open suspicious file attachments or click on questionable embedded links. A web application firewall can also help your organization detect and mitigate banking trojans.
MD5: 06ac8be899d6deb26401417ce0d54389
Appendix
Python script to automate the decryption process:
import struct
def decrypt_first_stage(in_file, out_file):
with open(in_file, 'rb') as f:
encrypted_data = f.read()
key = struct.unpack('<I', encrypted_data[:4])[0]
size = struct.unpack('<I', encrypted_data[4:8])[0]
res=""
for i in range(8, size, 4):
decrypted_bytes="".join(map("{:08x}".format, [struct.unpack('<I', encrypted_data[i:i+4])[0] ^ key]))
res += "".join(reversed([decrypted_bytes[i:i+2] for i in range(0, len(decrypted_bytes), 2)]))
key -= 1
with open(out_file, 'w') as f:
f.write("".join([chr(int(res[i:i+2], 16)) for i in range(0, len(res), 2)]))s
Source link
lol
Figure 4: Dynamically resolving Windows API functions In conclusion, sometimes changes, even minor ones such as this one, are enough to break a working automation process, and they require some time to investigate. That’s how the malware’s authors gain precious time to defraud unsuspecting victims before security vendors can denylist their servers. As a reminder,…
Recent Posts
- Canadian Suspect Arrested Over Snowflake Data Breach and Extortion Attacks
- Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages
- Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System
- Nokia investigates breach after hacker claims to steal source code
- DocuSign’s Envelopes API abused to send realistic fake invoices