In this blog post we will show you how to quickly identify TrickBot malware with a network pcap and Gigasheet in just a few clicks. If you don't already have one, you can create a Gigasheet account here.
TrickBot is a sophisticated malware with persistence capabilities and is often associated with follow-on ransomware infections. TrickBot usually uses email phishing or spam as the initial attack vector where the email holds an attached office document with malicious macros. The victim is lured into opening the document by disguising itself as a legitimate invoice, post card, financial report, or other document. In this blog we're using a file from malware-analysis.net.
Let’s imagine that a colleague receives an email with an attached Excel document lure that looks like a legitimate invoice needing to be settled urgently. Your colleague opens the file, ignores the security warning, and clicks on the dialogue to enable macros.
Months ago, the head of IT gave a dreary presentation to the entire company about the company policy against enabling macros, but most people, including your colleague, chose to read emails during the presentation instead.
At this point your organization is at risk of a possible future ransomware infection or information security breach with consequences that could result in heavy financial loss and reputational damage.
Learn more about malware analysis with these recommended articles:
Here we will show you how you can use Gigasheet to quickly find the answer of some key questions:
Using the Functions (Fx) option for Cleanup Unix Time we'll create new column in UTC (optionally you can specify a time zone offset). Now we have a nicely formatted timestamp field and other interesting fields that we need for our analysis.
When a computer has been infected with TrickBot it usually sends an HTTP POST request on port 8082 exfiltrating data from that host. The URL often ends with “/90” and therefore we can use that as a filter in Gigasheet. We will open the filter panel and then add the new filter “WHERE INFO Contains /90” and hit apply.
We can see that we actually have 4 frames that contain the string /90. If we click on one of them we can clearly see that we have infected hosts on our network.
If we sort by timestamp and inspect the first POST request we can find out who is patient zero in this timeframe provided in the PCAP file.
Next we click a row to get a closer look at the HTTP.FILE_DATA field:
Here we can derive the following information:
Patient Zero
Host Name: CAT-BOMB-W7-PC
IP: 10.5.28.229
User Name: phillip.ghent
Other infected users
Host Name: CAT-BOMB-W10-PC
User Name: timothy.sizemore
We can also find out if any password data has been exfiltrated. TrickBot is sending this data on a URL ending with /81. By applying the filter “WHERE INFO contains /81” and inspecting the HTTP.FILE_DATA field we can derive the following information:
Exfiltrated password data
User Name: phillip.ghent
Password: gh3ntf@st
Email pop3 connection string: pop3://mail.catbomber[.]net:995|phillip.ghent|gh3ntf@st
Using Gigasheet we were able to quickly answer the following key questions:
Has your network been infected with TrickBot malware?
Yes
Who is patient zero?
Host Name: CAT-BOMB-W7-PC
IP: 10.5.28.229
User Name: phillip.ghent
Who else has been infected?
Host Name: CAT-BOMB-W10-PC
User Name: timothy.sizemore
What password data has been exfiltrated?
User Name: phillip.ghent
Password: gh3ntf@st
Email pop3 connection string: pop3://mail.catbomber.net:995|phillip.ghent|gh3ntf@st
As you can see we did this analysis in 4 simple steps with just a few clicks. If you haven’t already, go ahead and sign up for a Gigasheet beta account and try it out yourself on your network data!