Beware! The TrickBot Trojan is back

TrickBot Trojan was first identified in mid-2016 and considered similar to the Dyreza banking Trojan. Initially, the payload (the component of a computer virus that executes a malicious activity) was spreading through a malvertising campaign using the Rig Exploit Kit. From our current findings, we have found that TrickBot has changed its propagation technique and is now spreading using the Necurs Botnet (a distributor of many pieces of malware including ransomware). 1) Earlier we had discovered a malspam (malware that is delivered via email messages) campaign that was delivering the TrickBot Trojan. It contained blank emails with no subject line. It had scan_RandomNo.doc as a file attachment [e.g. – SCAN_4744.doc , SCAN_1254.doc] Fig 1. A blank email with SCAN_4744.doc as an attachment. The doc file contains embedded macro and its functionality was similar to that of the Dridex family. 2) Presently, this malspam campaign is now using zip attachments having keywords such as invoice as shown below. Fig 2. Email containing a .zip attachment contains another .zip which has script file with an .wsf extension Fig 3 This .wsf file is executed using Windows ‘wscript.exe’and downloads extension-less encoded file in %temp% folder which is then decoded in the same location as same_file_name.exe. It then copies itself into the‘%appdata%\winapp’ folder. In addition to this, it downloads two additional components such as ‘client_id’ & ‘group_tag’. ‘client_id’ has information such as the name of the victim’s machine, OS version, etc. ‘group_tag’contain value such as ‘mac1’. This Trojan also inject DLLs into the installed browsers of the infected machine to steal information such as usernames, passwords, etc. In addition to this, we have also observed that a few .wsf files received during our analysis of this malspam campaign are spreading a new variant of JAFF ransomware. 3) On 14.06.17, we have observed another malspam campaign delivering TrickBot. Fig 4. Email containing zip as an attachment Fig 5 Emails delivered through this new malspam campaign contain having .docm file. .docm has embedded macro which when enabled downloads and installs components of the TrickBot Trojan on the infected machine. Quick Heal Detection 1. Quick Heal has detection for .doc, .wsf and the downloaded payload files. Fig 6 Fig 7 2. Quick Heal Behavioral-based detection successfully detects the malicious activities of TrickBot. Fig 8 Precautionary Measures 1) Avoid opening email attachments received from unknown, unwanted or unexpected sources. 2) Open all Microsoft documents, PDF files, etc., received as email attachments only in ‘Protected View’.


Reference by

Aware of Cryptolocker / Cryptorbit / Cryptowall Virus.

Kindly find below the detail information about Cryptowall 3.0 Ransomware.

We have seen a series of Ransomware tended to be simple with dogged determinations to extort money from victims. But with the exponential rise in the samples of Ransomware last year, we saw more subtle in design, including “Cryptolocker” that was taken down along with the “Gameover ZeuS” botnet last June. As a result, another improved ransomware packages have sprung up to replace it — CryptoWall.


Ransomware is an emerging threat in the evolution of cybercriminals techniques to part you from your money. Typically, the malicious software either lock victim’s computer system or encrypt the documents and files on it, in order to extort money from the victims. Since last year, criminals have generated an estimated US$1 million profits.

Now, the infamous Cryptowall ransomware is back with the newest and improved version of the file-encrypting ransomware program, which has been spotted compromising victims by researchers early this week, security researchers warned.

The new version, dubbed Cryptowall 3.0 (or Crowti), uses Tor and I2P (Invisible Internet Project) anonymity networks to carry out communication between victims and controllers keeping it away from researchers and law enforcement officials.

The cryptolocker/Cryptorbit/Cryptowall Malware encrypts files with the RSA algorithm and key to decrypt file is not statically available in mother infector. It spreads through an email that appears to be a tracking notification from unknown people. In the mail there is zip file and inside that zip file is a double-extension file such as *.pdf.exe. The .exe file lets CryptoLocker run on your computer, while the innocuous .pdf extension hides the file’s true function.

Availability of key depends on C&C server communication.

RSA decryption Key generation by brute force is not feasible solution. So decryption of all the encrypted files is not possible in these cases.

Kindly go through below link for your reference about this virus:

We recommend you to take below preventive measures:

    1. Stay patched. Keep your operating system and softwares up to date.
    1. Make sure your anti-virus is active and up to date.
    1. Avoid opening attachments you weren’t expecting, or from people you don’t know well. Kindly inform any incoming mail from unknown person/Email ID immediately to your IT Team.
    1. Make regular backups of your important data and store them somewhere safe, preferably offline.
    1. update your firewall and all security patches.
    1. update and re check your gateway level web filtering policies and security.
    1. update your mail server antivirus and all security patches.
    1. update and re check your mail server mail filtering and security policies.
    1. do not click any unknown links.
  1. do not accept/yes any unknown web request.