How To
Aug 25, 2021

Identify TrickBot Malware In 4 Simple Steps

In this blog post we will show you how to quickly identify TrickBot malware with a network pcap and Gigasheet in just a few clicks. If you don't already have one, you can create a Gigasheet account here.

Jump To Video

About TrickBot

TrickBot is a sophisticated malware with persistence capabilities and is often associated with follow-on ransomware infections. TrickBot usually uses email phishing or spam as the initial attack vector where the email holds an attached office document with malicious macros. The victim is lured into opening the document by disguising itself as a legitimate invoice, post card, financial report, or other document. In this blog we're using a file from malware-analysis.net.

Scenario

Let’s imagine that a colleague receives an email with an attached Excel document lure that looks like a legitimate invoice needing to be settled urgently. Your colleague opens the file, ignores the security warning, and clicks on the dialogue to enable macros.

Months ago, the head of IT gave a dreary presentation to the entire company about the company policy against enabling macros, but most people, including your colleague, chose to read emails during the presentation instead.

At this point your organization is at risk of a possible future ransomware infection or information security breach with consequences that could result in heavy financial loss and reputational damage.

Learn more about malware analysis with these recommended articles:

Process

Here we will show you how you can use Gigasheet to quickly find the answer of some key questions:

  • Has your network been infected with TrickBot malware?
  • Who is patient zero?
  • Who else has been infected?
  • What password data has been exfiltrated?

1. Upload your pcap to Gigasheet and open the file

big pcap? no prob

TrickBot PCAP Sample
Network PCAP CSV

2. Convert Unix timestamp to human readable format

Convert UNIX Time to UTC

Using the Functions (Fx) option for Cleanup Unix Time we'll create new column in UTC (optionally you can specify a time zone offset). Now we have a nicely formatted timestamp field and other interesting fields that we need for our analysis.

Parsed TrickBot PCAP

3. Filter for known TrickBot patterns

When a computer has been infected with TrickBot it usually sends an HTTP POST request on port 8082 exfiltrating data from that host. The URL often ends with “/90” and therefore we can use that as a filter in Gigasheet. We will open the filter panel and then add the new filter “WHERE INFO Contains /90” and hit apply.

Filter Big PCAPs

We can see that we actually have 4 frames that contain the string /90. If we click on one of them we can clearly see that we have infected hosts on our network.

PCAP Results

4. Extract information about patient zero and who else is infected

If we sort by timestamp and inspect the first POST request we can find out who is patient zero in this timeframe provided in the PCAP file.

Next we click a row to get a closer look at the HTTP.FILE_DATA field:

TrickBot PCAP Frame Details

Here we can derive the following information:

Patient Zero

Host Name: CAT-BOMB-W7-PC

IP: 10.5.28.229

User Name: phillip.ghent

Other infected users

Host Name: CAT-BOMB-W10-PC

User Name: timothy.sizemore

We can also find out if any password data has been exfiltrated. TrickBot is sending this data on a URL ending with /81. By applying the filter “WHERE INFO contains /81” and inspecting the HTTP.FILE_DATA field we can derive the following information:

Exfiltrated password data

User Name: phillip.ghent

Password: gh3ntf@st

Email pop3 connection string: pop3://mail.catbomber[.]net:995|phillip.ghent|gh3ntf@st

TrickBot Filters
TrickBot Infection Detail

Conclusion

Using Gigasheet we were able to quickly answer the following key questions:

Has your network been infected with TrickBot malware?

Yes

Who is patient zero?

Host Name: CAT-BOMB-W7-PC

IP: 10.5.28.229

User Name: phillip.ghent

Who else has been infected?

Host Name: CAT-BOMB-W10-PC

User Name: timothy.sizemore

What password data has been exfiltrated?

User Name: phillip.ghent

Password: gh3ntf@st

Email pop3 connection string: pop3://mail.catbomber.net:995|phillip.ghent|gh3ntf@st

As you can see we did this analysis in 4 simple steps with just a few clicks. If you haven’t already, go ahead and sign up for a Gigasheet beta account and try it out yourself on your network data!

The ease of a spreadsheet with the power of a database, at cloud scale.

No Code
No Database
No Training
Sign Up, Free

Similar posts

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.