TrickBot malware develops new email infection [TrickBooster]

A recent report from cyber security company Deep Instinct has revealed that the Trickbot malware has returned with a new variant, ‘TrickBooster’ which attacks individual’s email accounts.

TrickBot, a piece of malware circulating since 2016, was designed to access online accounts with the goal of obtaining Personally Identifiable Information (PII) which can be used to facilitate identity fraud. 

The new TrickBooster variant of the infection, according to the Deep Instinct report, ‘harvests email credentials and contacts from a victim’s address book, inbox, outbox, it can send out malicious spam emails from the victim’s compromised account, and finally, can delete the sent messages from both outbox and the trash folder, so as to remain hidden from the user’.

TrickBooster has reportedly infected 250 million individual’s email accounts, including those linked with major email providers.

The offending certificates have now been revoked by DigiCert/Thawte.

Indicators of compromise (IOCs)

Shared Certificate Details

  • Shared Cert 1
    • Cert SHA1: 5DE6E48A350F60CE11D9D3AC437BE8CCBC3D415C
    • Issued to: https://beta.companieshouse.gov.uk/company/08306316
    • TrickBot signed sample (SHA256): 3f651b525ceaa941c143b2adc3244b3d4b9af299ad09beea345867258dfbf5e7
    • TrickBooster signed sample (SHA256): 620020a21c8074d689e80fc1ae29acf8c34d3481ed380f20ad445b88a7bf442e
  • Shared Cert 2

33eed709eb06f57d371fa97097f821858ad4143900c7aa4c302ce190d51370ff

dcaa278d0dbbd0b068615aeef5a87db1cbe664a6f51c5e9cc6a09fe354990fa6

  • TrickBooster signed sample (SHA256):

65596dd44caa7fa9e8d048dfb5a5e46b04874060eb888d320ee2ced752669f5e

e7e64753cf91d1d35c3098fcd491f53dda01e83c47f6bede3d5bfe6775fb20c8

  • TrickBooster signed sample (SHA256):

d96fd330c765b88f3503899755624cbe020ab3e2c53e28d7dee38e7b35f3eab2

TrickBooster Infection servers (servers known to host TrickBooster executables in this campaign)

hxxp://104.216.111.171/

hxxp://85.204.116.92/

TrickBooster Command & Control servers (servers controlling TrickBooster bots involved in this campaign)

185.86.148.63:2050

178.156.202.242:2050

62.109.25.254 (likely Command & Control Server)

TrickBooster file hashes (SHA256, involved in this campaign)

620020a21c8074d689e80fc1ae29acf8c34d3481ed380f20ad445b88a7bf442e

65596dd44caa7fa9e8d048dfb5a5e46b04874060eb888d320ee2ced752669f5e

d96fd330c765b88f3503899755624cbe020ab3e2c53e28d7dee38e7b35f3eab2

f7eeaee88c68056ab4087b4a5c7c5797f9075d0384b271f136776ff5249cb497

48d591518b306a91853ac65697dd888a0afa442014b878d777879064091f73e1

fe527937e1e512b72111102d9e18c10120b77cd9832230950ce55a718e75a9f0

FUD TrickBooster “Implant” file hashes (SHA256)

4ba33bf8a5e8b065f5055dd2c655dc2a271e9587b037e9b3e548b6c51cab3e9e

702e96fef5b2ad643a0f702b26a3fd237592f778e4fbc707c80e93326fd08d58

6bf8f079021c8018f6ab37a29091e838918734bf9d1c532852561b6a0d71f12d

Additional File hash IOCs (SHA256)

2787838d3eb2fd14e80eff102b3967c3e5f1ed9f26f0ecc856ee68dfa28b9fd5

688b4a4ef3ac5de4f2c87bb5061f3f0729efe5818d2463437f4e742d9efbcf05

ef61dc27b55fb493c94ffd7022669c95e999fb6e60eb83a78fd462eab5f4b5d6

98a60cb7e0a0337a132def0ad766b8c5dda0d6777bf531d2a5f2493bb3de4348

00ba7cd7bb268fa6f6ef09fa679e5f5d68a27be512da24c556ea04673e852978

b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329

fc0770975ca3337984c3d4912ef592c805333e8bdf76fd4d3256ebc4e5916be7

f446f39223567f99ae2fb60f372583bc37d54ffe055f20eda8382c14eeea01f5

688b4a4ef3ac5de4f2c87bb5061f3f0729efe5818d2463437f4e742d9efbcf05

4abeab45c0503957e16373fe8f872d6055402614d317b1aa969becf07a6fdb05

748891c0ea84b6f8e2b44ec78acd474338c16e8bc24a975b867ac56ad994d939

ddd9d1a3c2cf31e2d361922c91efc9be6a253ad5854bb2adfdb02bc21a43817b

IOC list via Deep Instinct

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: