Watch out for man-in-the-browser-attacks
by Secutec
We have recently seen different man-in-the-browser attacks, named as TrickBot (a modular banking trojan spread through mailspam campaigns that targets user financial information and acts as a dropper for other malware), for which we would urgently like to notify our customers.
RECOMMENDATIONS
Therefore we would like to advise all our customers to MONITOR their network even more and watch out for the following URLs, to which TrickBot sends HTTP requests to collect the infected host’s public IP address:
- hxxp://myexternalip.com/raw
- hxxp://api.ipify.org
- hxxp://icanhazip.com
- hxxp://bot.whatismyipaddress.com
- hxxp://ip.anysrc.net/plain/clientip
If any traffic is seen to one or more of the above URLs, try to block them but do not wait to contact our support helpdesk to assist you on the next steps to ensure the overall security of your infrastructure, as different variants may occur.
WHAT IS TRICKBOT?
TrickBot sends unsolicited emails that direct users to download malware from malicious websites or thrick the user into opening malware through an attachment. The campaigns use third-party branding that are familiar to the recipient, such as invoices from accounting and financial firms and typically include an attachment. The opened attachment will prompt the user to enable macros, which executes a VBScript to run a PowerShell script to download the malware. TrickBot runs checks to ensure it is not in a sandbox environment and then attempts to disable antivirus programs. Once executed, TrickBot redeploys itself in the “%AppData%” folder and creates a scheduled task that provides persistence.
BRON: https://www.cisecurity.org/white-papers/security-primer-trickbot/