News > Secutec News

Watch out for man-in-the-browser-attacks

We have recently seen different man-in-the-browser attacks, named as TrickBot (a modular banking trojan spread through mailspam campaigns that targets user financial information and acts as a dropper for other malware), for which we would urgently like to notify our customers.

RECOMMENDATIONS

Therefore we would like to advise all our customers to MONITOR their network even more and watch out for the following URLs, to which TrickBot sends HTTP requests to collect the infected host’s public IP address:

  • hxxp://myexternalip.com/raw
  • hxxp://api.ipify.org
  • hxxp://icanhazip.com
  • hxxp://bot.whatismyipaddress.com
  • hxxp://ip.anysrc.net/plain/clientip

If any traffic is seen to one or more of the above URLs, try to block them but do not wait to contact our support helpdesk to assist you on the next steps to ensure the overall security of your infrastructure, as different variants may occur.

WHAT IS TRICKBOT?

TrickBot sends unsolicited emails that direct users to download malware from malicious websites or thrick the user into opening malware through an attachment. The campaigns use third-party branding that are familiar to the recipient, such as invoices from accounting and financial firms and typically include an attachment. The opened attachment will prompt the user to enable macros, which executes a VBScript to run a PowerShell script to download the malware. TrickBot runs checks to ensure it is not in a sandbox environment and then attempts to disable antivirus programs. Once executed, TrickBot redeploys itself in the “%AppData%” folder and creates a scheduled task that provides persistence.

 

BRON: https://www.cisecurity.org/white-papers/security-primer-trickbot/

QUESTIONS ABOUT THE TECH UPDATE?

Contact Us

  • This field is for validation purposes and should be left unchanged.