Coming up this week on Breaking Badness. Today we discuss: The TrickBot Thickens, Feds or Tails?, and our fun new game, two truths and a lie.
Here are a few highlights from each article we discussed:
The TrickBot Thickens
- Oh TrickBot, how you always come up. So TrickBot is a financial trojan that typically gets dropped by a maldoc spam campaign. It harvests credentials through the Mimikatz tool, using the man-in-the-browser technique and what not. It is modular and constantly being updated and has been tied in the past—as we’ve talked about on this podcast—to the Ryuk ransomware and being used to drop other tools.
- So here we have their usual move of sending spam mailers tied to current events—in this case BLM—and try to get people to open documents and enable macros that then drop the next payload. In this case they’re posing as elected officials and asking that people vote on their opinion on BLM, etc.
- According to the sample campaign documents, when the attachment is opened, macros enabled pulls down a DLL. This just keeps working forever and ever and ever. TrickBot through maldocs is up there with reliability like death and taxes at this point.
- These documents are being distributed through email. Endless deluge of spam and not the delicious, Hawaiian state meat kind.
- Lots of police domains, defund or fund, depending on your stance. Lots of lives matter domains, lots of militia and antifa domains. All of this follows the 24-hour news cycle, right? Whatever is pumping— and particularly if the president says something on Twitter—those domain registrations will blossom. It’s like a little coronavirus outbreak for language.
- These maldoc spam campaigns are so effective at spreading malware. If your organization is larger than 100 people then someone will always fall for it.
- I always find TrickBot a bit boring—since it keeps happening—but concerning because it’s so effective. These developers release a new module for TrickBot every couple of months if not sooner and its capabilities keep growing so I would say it’s very concerning because you will get a TrickBot infection at some point if you work in IR for more than a week and end up being a target.
- In terms of how organizations can protect themselves against malspam emails like this one, stop using Microsoft Office and start using all plaintext documents or LaTeX edited documents…. I kid, though really wouldn’t mind everything to work in my terminal like it used to do. At this point you just need to be examining as many documents as possible and encouraging your people to never enable macros because they’re always bad. All I can say there really.
Feds or Tails?
- From 2012-2017 Buster Hernadez used Facebook to obtain sexually explicit photographs from young victims. If he didn’t get them, he threatened violence. To remain anonymous he worked off of a Linux OS named Tails that runs only in RAM and utilizes TOR for networking, making attribution via IP very difficult.
- In this case Mr Hernandez was a persistent bad actor on Facebook, targeting minors and threatening violence.
- The Facebook team spent a lot of time and resources hunting him down, eventually hiring a 3rd party to develop an exploit that targeted the Tails OS video player, deobfuscating the IP address of Hernandez and eventually leading to his arrest.
- Buster pled guilty to 41 charges in February and is awaiting sentencing. He faces life in prison.
- This action was legal
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
Current Scoreboard
This Week’s Hoodie/Goodie Scale
The TrickBot Thickens
[Chad]: 6.39/10 Hoodies
[Taylor]: 3.25/10 Hoodies
Feds or Tails?
[Chad]: 10/10 Hoodies
[Taylor]: 9.9/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!