
Looking at the current Trickbot campaign, found some interesting stuff. Look at the image above, this is a copy of the Trickbot executable that the malware reaches out to after execution.
Using Onion TLDs:
As you can see here, it’s using a dotOnion TLD to get the passwordGrabber module:
0x13ee8190f40 (222): http://lbw3dmfh56suk6fv.onion:448/wecan5/DESKTOP-XXXXX/5/pwgrab64/
And then the usual:
0xacc6c7f7a0 (92): http://93.95.97.44:443/wecan5/DESKTOP-.XXXX/81/
0x1d86e511ed0 (194): http://170.238.117.187:8082/wecan5/DESKTOP-XXXX/81/
Other live images of trickbot that this malware can download at the time of this publication:
hxxp://66.85.173[.]6/images/lastimg.png
hxxp://66.85.173[.]6:80/images/mini.png
Complete list of C2i for this campaign is now available at the Malienist TrickBot Tracker.
Happy Holidays!
Comments
Post a Comment