Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trickbot issue on production network.


  • Please log in to reply
26 replies to this topic

#1 garethp1

garethp1

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 16 April 2018 - 10:16 AM

I am having an issue with Trickbot virus on our production network.  We run Symantec Endpoint protection on all workstations (~30).  We have a Server 2008 R2 Exchange server as well as 4x Server 2012 R2 servers running various applications, the servers do not run antivirus.  

 

My Symantec Endpoint Protection notified me of the infection last week on Thursday.  The infection was installed on every PC on my network simultaneously. We found stsvc.exe on the root of C: as well as a folder called NetDefender under the %APPDATA% folder on any user that logged in.  There was a Scheduled Task call MSNetValidation (or something close to that) that was set to run on logon to call the malware.

 

It is my opinion that the Symantec definitions 'caught up' once we were already infected, because the malware was active and a reboot was required to remove it on every computer.  

 

I manually removed the scheduled task and the offending files from the servers, then installed Symantec Endpoint and scanned to be safe.  I also loaded Malwarebytes on the servers and scanned.  All of these scans came back clean after manually removing the files.

 

This all happened last Thursday.  Today (Monday), I got a notification from Symantec that it again detected stsvc.exe as infected Trickbot on every unit in the building.  This time it required no intervention and was automatically cleaned immediately, which tells me the malware was not executed yet.  I found the stsvc.exe on my servers again as well, but it wasn't executed as there was no scheduled task or netdefender folder so I just deleted it.

 

Now, all that said, I'm trying to figure out what process is causing everything to get infected and what steps I should take from here.  I found that Trickbot can propogate via network shares here:

https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/

 

But all computers and servers are fully updated through the 2017-04 Cumultive updates, so I'm not sure what else needs to be done.

 

Thanks!



BC AdBot (Login to Remove)

 


#2 xpictoc

xpictoc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 16 April 2018 - 04:44 PM

I am having the same exact issue, matching dates as well, started last Thursday, seemed to have contained it then. Then started infecting all user machines on Monday (today). Not having any luck slowing it down, but the antivirus does seem to be detecting it/quarantining it. Any progress on your end?



#3 yellowdemon

yellowdemon

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 07 May 2018 - 11:58 AM

I've noticed similar activity, mine is creating MSNetValidator, MSTools, MsLogExport & NativeLogger scheduled tasks.  For the most part, anti-virus is catching the infection.  What I haven't figured out yet though, is if antivirus doesn't catch it, what is the outcome?  



#4 xpictoc

xpictoc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 07 May 2018 - 12:15 PM

https://pastebin.com/3QJUzdY4

 

Make an outbound policy on your firewall to deny all of these IPs.

 

Also 162.24.32.218.

 

Make sure to delete all of the tasks, and the %appdata% roaming NetDefender/Disktools folders for any of the recently active users on whatever machine. Then look in System32/Windows/Syswow64 folders for any recent unknown files. And reboot, it will run in memory and keep making those tasks/folders if you don't. Many of the antivirus scanners aren't finding a lot of this. 


Edited by xpictoc, 07 May 2018 - 12:18 PM.


#5 garethp1

garethp1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 08 May 2018 - 08:34 AM

Thanks, I've added this list to my firewall with an outbound policy to deny traffic, I'll see if that helps. 

 

In my scenario, A/V is catching it as it gets loaded but something on the network causes it to persist.  All computers will be completely clean, then a couple of days later, Symantec flags stsvc.exe and cleans it again so something is pushing it over the network.  All machines with A/V are avoiding full infection because I only see stsvc.exe on them, which is cleaned off, but no NetDefender folder or odd services and tasks since the initial infection was cleaned off each machine. 

 

So my biggest issue is that although the computers are protected, the malware seems to be persisting on the network somewhere.



#6 jasongalliuk

jasongalliuk

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 09 May 2018 - 02:05 PM

Thanks, I've added this list to my firewall with an outbound policy to deny traffic, I'll see if that helps. 
 
In my scenario, A/V is catching it as it gets loaded but something on the network causes it to persist.  All computers will be completely clean, then a couple of days later, Symantec flags stsvc.exe and cleans it again so something is pushing it over the network.  All machines with A/V are avoiding full infection because I only see stsvc.exe on them, which is cleaned off, but no NetDefender folder or odd services and tasks since the initial infection was cleaned off each machine. 
 
So my biggest issue is that although the computers are protected, the malware seems to be persisting on the network somewhere.



#7 jasongalliuk

jasongalliuk

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 09 May 2018 - 02:11 PM

Hi There,

Im also having the same issue here, its been driving me up the wall, all severs and pcs, same problem, nothing I have tried removes it properly without it coming back, Malwarebytes real-time protection keeps blocking loads of outgoing connection from the svchost.exe file as riskware to lots of different ips hundreds in fact, and even after quarantining any infection and coming back clean for the short while before it is pushed back on to the c drives (stsvc.exe) its still constantly blocking these unknown connections, its driving me mad and very concerned, Ive tried turning off file and print sharing on all the pcs To try and limit the spread across the pcs, but still no joy, someone please help!

#8 garethp1

garethp1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 09 May 2018 - 02:19 PM

Hi There,

Im also having the same issue here, its been driving me up the wall, all severs and pcs, same problem, nothing I have tried removes it properly without it coming back, Malwarebytes real-time protection keeps blocking loads of outgoing connection from the svchost.exe file as riskware to lots of different ips hundreds in fact, and even after quarantining any infection and coming back clean for the short while before it is pushed back on to the c drives (stsvc.exe) its still constantly blocking these unknown connections, its driving me mad and very concerned, Ive tried turning off file and print sharing on all the pcs To try and limit the spread across the pcs, but still no joy, someone please help!

 

Ya it sucks, there doesn't seem to be a lot of assistance here so far.  I applied the firewall rules mentioned above yesterday morning, and I haven't seen anything yet but it's probably too early to say anything definitive.

 

I have noticed in my scenario, it's only on domain-linked PCs.  We have a couple of WinXP machines (don't ask why! It's for old equipment...) and they are NOT infected, despite having no A/V protection.  When I install and scan they are clean, and when I manually check for folders, services, and tasks they are clean.  I also have a few Win7 machines that are NOT on the domain, and again they are NOT infected.  So in my scenario, I guess the malware is using the domain connection to load the malware on the PCs.  As I mentioned above, the malware is immediately flagged and quarantined when loaded on the machines, but it doesn't prevent it from jumping back on the machines at a later time. 

 

Since applying the firewall rules yesterday, my plan is to consult my firewall logs and see if I can identify a computer that is still attempting to dial one of the blocked IP addresses, hopefully tracing this down will help me find where the malware is persisting.

 

Sorry I couldn't be more help!  I'll let you know if I find anything further.  My discovery that none of my NON-domain units are infected is my latest revelation.



#9 jasongalliuk

jasongalliuk

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 09 May 2018 - 02:21 PM

Hi Garath,

Yeah its mad isnt it, Ive also discovered the same thing with the non domain pcs all the remote workers who connect via VPN have not been infected, and they are a mix of Windows 7 and 10 pcs and all access the same share drives and exchange server but are completely clean, but they are not part of the domain, they are on a standard home group network.

Ive been really pulling my hair out, Ive even emailed all the top AV companies to ask them for any help on the matter and not one has replied, Symantec on live chat said they have a solution and would call me after taking all my details but never did!

What are the IPs youve blocked on your firewall because they are all different to what our Malwarebytes is reporting to be blocking.

Also what have you used to scan your servers? We use AVG and that doesnt detect it at all, I have used Norton power eraser to remove it from the pcs But I cant run that on the servers as it isnt compatible with any server OS and Malwarebytes wont clean it out either! 😪

Edited by jasongalliuk, 09 May 2018 - 02:31 PM.


#10 garethp1

garethp1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 09 May 2018 - 02:47 PM

Hi Garath,

Yeah its mad isnt it, Ive also discovered the same thing with the non domain pcs all the remote workers who connect via VPN have not been infected, and they are a mix of Windows 7 and 10 pcs and all access the same share drives and exchange server but are completely clean, but they are not part of the domain, they are on a standard home group network.

Ive been really pulling my hair out, Ive even emailed all the top AV companies to ask them for any help on the matter and not one has replied, Symantec on live chat said they have a solution and would call me after taking all my details but never did!

What are the IPs youve blocked on your firewall because they are all different to what our Malwarebytes is reporting to be blocking.

Also what have you used to scan your servers? We use AVG and that doesnt detect it at all, I have used Norton power eraser to remove it from the pcs But I cant run that on the servers as it isnt compatible with any server OS and Malwarebytes wont clean it out either!

 

So the list of IPs provided by xpictoc is here: (You can ignore the other info, it's from my firewall config)

address-object ipv4 "Block IP 1" host 74.58.90.102 zone WAN
address-object ipv4 "Block IP 2" host 93.93.196.254 zone WAN
address-object ipv4 "Block IP 3" host 46.20.207.204 zone WAN
address-object ipv4 "Block IP 4" host 91.206.4.216 zone WAN
address-object ipv4 "Block IP 5" host 69.122.117.95 zone WAN
address-object ipv4 "Block IP 6" host 70.91.134.61 zone WAN
address-object ipv4 "Block IP 7" host 68.96.73.154 zone WAN
address-object ipv4 "Block IP 8" host 185.42.192.194 zone WAN
address-object ipv4 "Block IP 9" host 189.84.125.37 zone WAN
address-object ipv4 "Block IP 10" host 185.26.174.189 zone WAN
address-object ipv4 "Block IP 11" host 79.175.102.12 zone WAN
address-object ipv4 "Block IP 12" host 90.63.223.63 zone WAN
address-object ipv4 "Block IP 13" host 207.140.15.87 zone WAN
address-object ipv4 "Block IP 14" host 176.121.215.149 zone WAN
address-object ipv4 "Block IP 15" host 68.227.31.46 zone WAN
address-object ipv4 "Block IP 16" host 199.120.119.164 zone WAN
address-object ipv4 "Block IP 17" host 107.144.49.162 zone WAN
address-object ipv4 "Block IP 18" host 130.180.89.70 zone WAN
address-object ipv4 "Block IP 19" host 78.155.218.104 zone WAN
address-object ipv4 "Block IP 20" host 80.87.198.156 zone WAN
address-object ipv4 "Block IP 21" host 82.146.48.3 zone WAN
address-object ipv4 "Block IP 22" host 94.250.254.100 zone WAN
address-object ipv4 "Block IP 23" host 94.250.252.154 zone WAN
address-object ipv4 "Block IP 24" host 195.54.163.80 zone WAN
address-object ipv4 "Block IP 25" host 94.103.80.84 zone WAN
address-object ipv4 "Block IP 26" host 195.133.1.111 zone WAN
address-object ipv4 "Block IP 27" host 91.235.129.212 zone WAN
address-object ipv4 "Block IP 28" host 94.103.82.138 zone WAN
address-object ipv4 "Block IP 29" host 185.159.128.224 zone WAN
address-object ipv4 "Block IP 30" host 104.193.252.171 zone WAN
address-object ipv4 "Block IP 31" host 162.24.32.218 zone WAN

 

We use Symantec Endpoint Protection Cloud. It works on servers as well as workstations.  I will try and give them a call tomorrow and see if they can provide further assistance and I'll let you know what I hear.  I do like Malwarebytes for on demand scanning but we don't pay for their real-time protection.



#11 jasongalliuk

jasongalliuk

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 09 May 2018 - 03:11 PM

Ah right ok thank you, we don’t use any advanced firewalls we just have windows firewall so not sure how I’d tackle blocking those IP’s without blocking them on each and every pc.

Ah yeah I suppose if you pay for Symantec endpoint they will offer you some form of support, because they did say they have the solution for this one but never got back to me.

Hopefully we will get to the bottom of this, at least the more than one of us trying to tackle this one, fingers crossed we get somewhere with it.

I might have to trial endpoint and see if it can help clear out the active virus on the servers and at least it’s just a matter of trying to terminate the non active infection which is trying to push itself on to the network.

#12 yellowdemon

yellowdemon

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 10 May 2018 - 07:34 AM

I have a couple of questions still about this virus.  

 

1.  Can someone let me know how they extracted the IP addresses from the systeminfo module?  I've been trying to learn as much as I can about CyberSecurity lately.

2.  Has any had this virus actually execute in their environment?  I've seen how it disperses files, builds scheduled tasks, etc; but what does it actually do if left alone?  Does it wipe data, encrypt, lock files, keylogs, etc?

 

For me, this has been more of a nuisance than anything.  Our antivirus, for the most part, has quarantined it.  It later crops up as another tttvc.exe in a different directory.

 

I've executed this TTTVC.exe and STSVC.exe file in my test lab (nic disabled) and can't seem to make it do anything - maybe a timer?  It will build the directories once executed, but won't build the scheduled tasks - maybe since the NIC is disabled?

 

Any information is appreciated!


Edited by yellowdemon, 10 May 2018 - 07:35 AM.


#13 jasongalliuk

jasongalliuk

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 11 May 2018 - 09:10 AM

Hi There,

I think it is just a Trickbot virus which trys to steal passwords from the browsers and send to those known IP address listed above, the only pain we have at the moment is how to find how to fully clean it from a network, as it only seems domain networks are susceptible to this threat, a couple of us have noticed any machines which are on the same network but not part of the domain, i.e connected to the same shared drives and exchange servers etc have not been affected by it, I have seemed to have cleaned the pcs of it but the server is where Im having trouble, trying to remove it from, same thing after login back in after a reboot the scedule tasks are back and the same file you pointed out tttvc.exe is pushing back on and also all the other machines on the network have got the stsvc.exe file in the directory of the c drive but not executed, its seems once the pcs Have been cleaned out the are protected from any future execution of the threat, but this is probably because the servers are trying to push it back on, Im still trying to find something which is compatible with server OS that can clean them out without spending loads, because we have only just recently renewed with AVG which wasnt cheap and that doesnt seem to do anything with this threat, its driving me insane!

I want it gone now! :-(

#14 yellowdemon

yellowdemon

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 11 May 2018 - 11:14 AM

We shut down this traffic yesterday through the firewall.  The logs showed lots of activity to those IP addresses.   One thing you may consider is a GPO that blocks STSVC.exe and TTTVC.exe from executing.  It looks like it uses the System account to build the scheduled tasks.  I saw in the history portion of scheduled tasks were it executed using the STSVC.exe file, ran it several times, then switched to using the TTTVC.exe from a user's appdata folder.  After blocking it on the firewall, we haven't had any additional alerts on it.



#15 jasongalliuk

jasongalliuk

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 PM

Posted 11 May 2018 - 11:21 AM

Hi There,

Wow thats good news!

What firewalls are you using, we currently dont have any advanced hardware firewalls, we only have windows firewall do you think it would be possible to block it from there?

Something Ive never really experimented with is blocking apps via gpo going to have to do a little research to see how I can do this.

We are only a small business and still running sbs2011 as our main dc and then have two other servers one running sql and the other for remote access

Cheers for you help with this!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users