Hello, welcome to the Wednesday, August 16th, 2017 edition of the Sandsonet Storm Center's Stormcast.

My name is Johannes Orich, and the day I'm recording from Jacksonville, Florida.

We got two interesting diaries today to start out with regarding some new tricks that malvers up to.

First one is aptly named TrickBot and as Brad explains,

it's sort of a new version of the Dyer or Dereza Malware family. Now the overall infection

doesn't really look all that special. Starts out with spam that includes an HTML link that then is used to trick the user to download an office document, which of course will use macros to infect the system with additional malware.

What gets a little bit interesting is first of all the domains used.

Yesterday I mentioned how we see a lot of these new top level

domains being used. That's pretty easy to spot this particular sample did use the more traditional

dot com and then also dot CO.uk. So the standard commercial British domain. And then I think most interesting from my point of

view was that the sample actually used HTTP on the websites that hosted the malicious Word

document. Also, the email came from these domains and these domains were configured with

the standard SPF and such features in order

to make it more likely to have the email accepted by spam filters. So whoever is behind it went

the extra mile to make sure that first of all the spam is getting delivered and secondly

it makes a little bit more difficult

to actually inspect the traffic since it's using HDPS. A lot of organizations still don't

really inspect HTTPS requests. The end effect of all of this is that you will end up with a system

that's infected with the Trickbot banking Trojan,

which as the name implies, will go after your online banking sessions.

Now, Trickbot, while it did some pretty interesting things here, it still relied on spam in order

to spread itself. Renato has another example here of malware that actually didn't use spam.

...