HP Threat Research Blog Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks

October 8, 2020 Category: Threat Research By: Alex Holland Comments: 0

Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks

Introduction

One of the doctrines of forensic science is Locard’s exchange principle that every action taken by the perpetrator of a crime leaves a trace.[1] Through the process of carefully collecting and interpreting these traces, an investigator can characterise what happened and form hypotheses about other aspects of the crime, such as the capabilities of the perpetrator. This idea holds for digital forensic investigations just as much as it does in a physical crime scene. Cybercrimes involving malware require threat actors to use defence evasion techniques to circumvent security controls in the target’s network to achieve their objectives.[2] The good news for network defenders is that these techniques often involve manipulating files, which leave traces or “toolmarks” that can be used as signs of malicious intent or to track specific threat actors.[3] In this article, we describe how a stealthy TrickBot campaign in September 2020 masquerading as COVID-19 alerts and invoices evaded detection by encrypting, modifying and embedding payloads in files.

Background

TrickBot Operators Toy with Droppers, July 2020

In July 2020, we saw an unusual spam campaign delivering TrickBot banking malware. The configuration data use