CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

TrickBot Disguised as COVID-19 Map

Cybercriminals are continuously exploiting the Coronavirus (COVID-19) pandemic. In our quest to monitor the COVID-19 related spams, we recently spotted one interesting campaign which uses an unusual email attachment to deliver TrickBot malware.

Campaign_flow
Figure 1: The spam campaign flow

 

The Road to TrickBot

The email, claiming to be from a volunteer organization which helps with those seeking COVID-19 financial aid, entices the email recipient to open the attachments – fake COVID-19 forms.

 

Email_sample
Figure 2: Trustwave Security Email Gateway displaying a recent COVID-19 spam

 

The attachments are Java Network Launch Protocol (JNLP) files. JNLP files are XML formatted files which can be used to launch java programs hosted on a remote server to the client machine. If the client machine has Java Runtime Environment (JRE) installed, JNLP files can be executed via a double click, as JRE includes the technology Java Web Start which can run such files.

In Figure 2, the two JNLP attachments are identical. Once executed, they will download and run the java program “map.jar” hosted at “http[s]://mapcovid[.]net” – a second stage downloader disguised as COVID-19 "Map" java program.

 

Jnlp_attachment
Figure 3: The attachment SARS-2_Form.jnlp, a fake COVID-19 form, is a downloader
 
Downloaded_jar
Figure 4: The second stage downloader “map.jar” will download and execute the main malware “map.exe”

 

The downloaded file “map.jar” will launch the World Health Organization’s (WHO) “Q&A on coronaviruses (COVID-19)” webpage to cover up its malicious behavior – the downloading and installation of the main malware. This malware, concealed as a COVID-19 “Map” executable, will be downloaded from “http[s]://basecovid[.]com/map[.]exe” then saved and executed as %appdata%/map.exe.

The second downloaded file “map.exe” is the modularized banking trojan called TrickBot. This malware is prominent nowadays due to its wide range of functionalities: stealing information, downloading of other malwares, spam emails, etc.

The TrickBot %appdata%/map.exe will be automatically executed via the Execute() function of “map.jar”. Once run, it will create its installation folder SpotifyMusic at the Startup folder then drop a copy of itself. It will also create an encrypted file “settings.ini” – that contains the configuration of the TrickBot.

 

Trickbot_installation_folder
Figure 5: Installation path of the downloaded TrickBot
 
Config_decrypted
Figure 6: Decrypted TrickBot configuration

 

The decrypted TrickBot configuration contains vital information which will be used during the communication of the TrickBot executable to the C&Cs. It includes the version of the currently installed “map.exe” and its group tag <gtag>, the list of IP addresses of the C&Cs, and the first module to be downloaded by “map.exe”.

C&c
Figure 7: The memory dump of TrickBot “map.exe” showing the first request to its C&C

 

Summary

Malware authors are continuously taking advantage the COVID-19 pandemic in their spams. Like other cybercriminals, the threat actors behind this TrickBot malware are unleashing their creativity on crafting the initial arrival vector of their malware. Often, we observe TrickBot being delivered as payloads of malicious document attachments, particularly macro downloaders. This is the first time we have witnessed TrickBot use JNLP files as downloaders. In fact, the use of JNLP files as email attachments, to deliver malware, is not common.

It’s likely we shall see more of this kind of threat. We would recommend blocking *.jnlp files at your email gateway. We have added protections for this threat to the Trustwave Secure Email Gateway for our customers.

 

IOCs

SARS-2_Form.jnlp    SHA1: 46576bfebaecaacc4600bba429016b0713238f52
map.jar    SHA1: 0068154fbc4374642ebe50ac4f822c64b45635c8
map.exe    SHA1: 55b031294ff24919547cfcb4fd4f10a02902ce3b

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More