TSPY_TRICKBOT.TIOIBEAN

Llega como archivo adjunto a los mensajes de correo que otro malware/grayware/spyware o usuarios maliciosos envían como spam.

Roba determinada información del sistema y/o del usuario.

Se conecta a determinados sitios Web para enviar y recibir información.

Detalles de entrada

Llega como archivo adjunto a los mensajes de correo que otro malware/grayware/spyware o usuarios maliciosos envían como spam.

Instalación

Infiltra los archivos siguientes:

• %Application Data%\{AMNI/AIMT}\Modules\{pwgrab32/pwgrab64} -> Encrypted module that is used to steal internet login credentials such as Internet Explorer, Mozilla Firefox, Google Chrome, Microsoft Edge, Filezilla, WinSCP and Microsoft Outlook
• %Application Data%\{AMNI/AIMT}\Modules\{tabDll32/tabDll64} -> Encrypted module that is used for its lateral movement in the infected machine's network.
• %Application Data%\{AMNI/AIMT}\Modules\{sharedll32dll/sharedll64dll} -> Encrypted module that is used to propagate itself via SMB and LDAP queries. It is used together with {wormDll32/wormDll64}.
• %Application Data%\{AMNI/AIMT}\Modules\{wormDll32/wormDll64} -> Encrypted module that is used to propagate itself via SMB and LDAP queries. It is used together with {sharedll32dll/sharedll64dll}.
• %Application Data%\{AMNI/AIMT}\FAQ -> contains the Victim's Unique ID
• %Application Data%\{AMNI/AIMT}\info.dat -> Encrypted data
• %Application Data%\{AMNI/AIMT}\README.md -> Identifier for network connection
• %Application Data%\{AMNI/AIMT}\Modules\{importDll32/importDll64} -> Encrypted module that steals credentials from Internet Applications
• %Application Data%\{AMNI/AIMT}\Modules\{injectDll32/injectDll64} -> Encrypted module that monitors websites possibly used for banking applications
• %Application Data%\{AMNI/AIMT}\Modules\{mailsearcher32/mailsearcher64} -> Encrypted module that searches for email addresses in the infected machine
• %Application Data%\{AMNI/AIMT}\Modules\{networkDll32/networkDll64} -> Encrypted module that performs network scanning
• %Application Data%\{AMNI/AIMT}\Modules\{systeminfo32/systeminfo64} -> Encrypted module that gathers system information of the infected machine
• %Application Data%\{AMNI/AIMT}\Modules\{injectDll32/injectDll64}_configs\dinj -> Encrypted configuration that lists websites to be monitored
• %Application Data%\{AMNI/AIMT}\Modules\{injectDll32/injectDll64}_configs\sinj -> Encrypted configuration that lists websites that will be redirected to a specific phishing URL
• %Application Data%\{AMNI/AIMT}\Modules\{injectDll32/injectDll64}_configs\dpost -> Encrypted configuration that lists C&C servers that receives stolen data from monitored websites
• %Application Data%\{AMNI/AIMT}\Modules\{networkDll32/networkDll64}\dpost -> Encrypted configuration that lists C&C servers that will receive stolen network information
• %Application Data%\{AMNI/AIMT}\Modules\{mailsearcherDll32/mailsearcherDll64}_configs\mailconf ->Encrypted configuration that lists C&C servers that will receive stolen email addresses

(Nota: %Application Data% es la carpeta Application Data del usuario activo, que en el caso de Windows 98 y ME suele estar ubicada en C:\Windows\Profiles\{nombre de usuario}\Application Data, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}\Application Data y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}\Local Settings\Application Data).

Crea las siguientes copias de sí mismo en el sistema afectado:

• %Application Data%\{AMNI/AIMT}\{malware file name}.exe

(Nota: %Application Data% es la carpeta Application Data del usuario activo, que en el caso de Windows 98 y ME suele estar ubicada en C:\Windows\Profiles\{nombre de usuario}\Application Data, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}\Application Data y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}\Local Settings\Application Data).

Agrega los procesos siguientes:

• cmd /c sc stop WinDefend
• cmd /c sc delete WinDefend
• cmd /c powershell Set-MpPreference -DisableRealTimeMonitoring $true

Crea las carpetas siguientes:

• %Application Data%\{AMNI/AIMT}\Modules\{pwgrab32/pwgrab64}_configs
• %Application Data%\{AMNI/AIMT}\Modules\{tabDll32/tabDll64}_configs
• %Application Data%\{AMNI/AIMT}
• %Application Data%\{AMNI/AIMT}\Modules\
• %Application Data%\{AMNI/AIMT}\Modules\{mailsearcher32/mailsearcher64}_configs
• %Application Data%\{AMNI/AIMT}\Modules\{networkDll32/networkDll64}_configs
• %Application Data%\{AMNI/AIMT}\Modules\{injectDll32/injectDll64}_configs

(Nota: %Application Data% es la carpeta Application Data del usuario activo, que en el caso de Windows 98 y ME suele estar ubicada en C:\Windows\Profiles\{nombre de usuario}\Application Data, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}\Application Data y en el caso de Windows 2000, XP y Server 2003 en C:\Documents and Settings\{nombre de usuario}\Local Settings\Application Data).

Otras modificaciones del sistema

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft Windows Defender Security Center\
Notifications
DisableNotifications = 1

Robo de información

Roba la siguiente información:

• OS information (Architecture, Caption, CSDVersion)
• CPU Information (Name)
• Memory Information
• User Accounts
• Installed Programs
• Installed Services
• IP Configuration
• Network Information (Configuration, Users, Domain Settings)
• Email addresses
• Internet Credentials:
  
  • Usernames and Passwords
  • Internet Cookies
  • Browsing History
  • Internet Application Settings(Google Chrome, Mozilla Firefox, Internet Explorer)
• Credentials in the following Applications:
  
  • Microsoft Outlook
  • Filezilla
  • WinSCP

Otros detalles

Se conecta al sitio Web siguiente para enviar y recibir información:

• {BLOCKED}.{BLOCKED}.167.242:443
• {BLOCKED}.{BLOCKED}.101.25:443
• {BLOCKED}.{BLOCKED}.243.125:449
• {BLOCKED}.{BLOCKED}.105.252:443
• {BLOCKED}.{BLOCKED}.64.148:449
• {BLOCKED}.{BLOCKED}.249.230:443
• {BLOCKED}.{BLOCKED}.199.46:443
• {BLOCKED}.{BLOCKED}.40.119:449
• {BLOCKED}.{BLOCKED}.157.163:443
• {BLOCKED}.{BLOCKED}.218.139:443
• {BLOCKED}.{BLOCKED}.91.118:449
• {BLOCKED}.{BLOCKED}.162.86:443
• {BLOCKED}.{BLOCKED}.173.10:443
• {BLOCKED}.{BLOCKED}.188.224:449
• {BLOCKED}.{BLOCKED}.53.126:449
• {BLOCKED}.{BLOCKED}.171.234:449
• {BLOCKED}.{BLOCKED}.20.66:449
• {BLOCKED}.{BLOCKED}.140.89:443
• {BLOCKED}.{BLOCKED}.41.188:443
• {BLOCKED}.{BLOCKED}.182.112:449
• {BLOCKED}.{BLOCKED}.251.150:449
• {BLOCKED}.{BLOCKED}.94.107:443
• {BLOCKED}.{BLOCKED}.3.170:443
• {BLOCKED}.{BLOCKED}.50.85:443
• {BLOCKED}.{BLOCKED}.20.113:443
• {BLOCKED}.{BLOCKED}.74.84:449
• {BLOCKED}.{BLOCKED}.168.50:443
• {BLOCKED}.{BLOCKED}.86.52:449
• {BLOCKED}.{BLOCKED}.233.167:443
• {BLOCKED}.{BLOCKED}.105.252:443
• {BLOCKED}.{BLOCKED}.86.52:449
• {BLOCKED}x5kg7bl.onion:448
• {BLOCKED}.{BLOCKED}.63.233:447
• {BLOCKED}.{BLOCKED}.39.10:447
• {BLOCKED}.{BLOCKED}.39.252:447
• {BLOCKED},{BLOCKED}.249.187:447
• {BLOCKED}.{BLOCKED}.204.9:447
• {BLOCKED}.{BLOCKED}.198.167:447
• {BLOCKED}.{BLOCKED}.178.63:447
• {BLOCKED}.{BLOCKED}.105.68:447
• {BLOCKED}.{BLOCKED}.65.32:447
• {BLOCKED}.{BLOCKED}.155.117:447
• {BLOCKED}.{BLOCKED}.140.89:443
• {BLOCKED}.{BLOCKED}.229.158:449
• {BLOCKED}.{BLOCKED}.41.188:443
• {BLOCKED}.{BLOCKED}.182.112:449
• {BLOCKED}.{BLOCKED}.24.240:449
• {BLOCKED}.{BLOCKED}.94.107:443
• {BLOCKED}.{BLOCKED}.3.170:443
• {BLOCKED}.{BLOCKED}.50.85:443
• {BLOCKED}.{BLOCKED}.20.113:443
• {BLOCKED}.{BLOCKED}.74.84:449
• {BLOCKED}.{BLOCKED}.168.50:443
• {BLOCKED}.{BLOCKED}.83.22:443