Like many malware researchers, I use the fantastic tools developed by @hasherezade to help decode the configuration files of Trickbot to see what the current collection of URLs in the DINJ file is targeting.
|DINJ file breakdown (04MAR2020 by @GarWarner)|
In the file I used for this analysis, updated from the Command & Control on 04MAR2020, there were 84 “igroups” containing 329 URL patterns, targeting 131 named domains.
In the current DINJ file, the most common target is Japanese banks and financial institutions. Each of the 41 URLs below were for Japanese organizations:
US Banks were second in popularity
Followed by German Banks
Some of the other targets were especially interesting to me.
Ameritrade.com, eTrade.com, Schwab.com
The Big Retails:
Amazon.com, BestBuy.com, CostCo.com, eBay.com, Grainger.com, SamsClub.com
The CryptoCurrency Exchanges/Companies:
Binance.com, BitFinex.com, BitStamp.com, Blockchain.com, CoinBase.com, CoinMarketCap.com, CryptoCompare.com, DogeChain.info, Kraken.com, Paxful.com
And two Payroll companies, which may be especially interesting as we are in Tax Season in the USA. Curiously these two are both part of the same “igroup”:
ADP.com and Paychex.com
Especially since they are targeting ADMINISTRATORS of those Payroll systems, based on the strings I’m seeing:
If you are curious to see more of the current DINJ file, I’ve shared it as a PasteBin file here:
URL Patterns in Trickbot DINJ
Some patterns do not identify a domain, such as the pattern “https://.*.de/privatkunden/*” (which says “we don’t care which German Bank we’re looking for, but if they have a URL that includes “private customers”, go ahead and grab stuff from there. The pie chart above only maps organizations where a full domain was identified.
Remember that the default is GRAB EVERYTHING, but URLs with specific strings on a site will be sent back to the criminals “tagged for action” making it easier for them to harvest and take action on those pages. Here’s an example of URLs related to NavyFederal:
So, while there may be many other places on the NavyFederal website that request user interaction, three particular URL patters are targeted for prioritized collection. The “s=” number tells which iGroup the URL belongs to (all of the URLs in 1535723065134935 belong to Navy Federal), the “id=” tells what sub-URL the visitor was on when they submitted this particular data.
In this iGroup for NorisBank, there are three specific patterns that each extract data to a particular location, so when the generic pattern “*norisbank.de*” is used, it instructs the bot not to include those subURLs that have already been captured separately.
A Bit of Spam Context
As everyone probably knows by now, the top spamming botnet since the death of Kelihos has been Emotet. Emotet is involved in the distribution of several banking trojans, including TrickBot which is known to be the main source of Ryuk ransomware infections, and Qbot, which often leads to MegaCortex ransomware, and even Dridex, which sometimes leads to BitPaymer ransomware.
There are many great Emotet/Trickbot researchers out there, especially the @Cryptolaemus research group, which shares Emotet Indicators of Compromise regularly, and @pollo290987, who shared this graphic on his Twitter feed:
Trickbot is ALSO distributed by other sources, which Crowdstrike does a great job of illustrating in this diagram that maps out the relationships between spambots and malware payloads:
|CrowdStrike Actor Labels for Emotet => Trickbot => Ryuk etc.|
In the Crowdstrike worldview, “Mummy Spider” is the actor(s) behind Emotet, who serves his customer “Wizard Spider” by delivering Trickbot for him/them. Post infection with Trickbot, Wizard Spider may choose to infect with Ryuk Ransomware. Per Crowstrike, Lunar Spider (the operator of BokBot AKA IcedID) and Scully Spider (the operator of DanaBot) also occasionally are used to distribute Trickbot. But mostly, its Emotet.
*** This is a Security Bloggers Network syndicated blog from CyberCrime & Doing Time authored by Gary Warner, UAB. Read the original post at: http://garwarner.blogspot.com/2020/03/what-sites-is-trickbot-targeting.html