Description of Campaign
Trickbot is a modular information stealing malware with lateral movement and spam capabilities. This latest campaign is noteworthy because it is piggybacking on Emotet’s existing malspam distribution capabilities. The combination of a massive spam campaign and a nasty SMB lateral movement have made this campaign a potent threat.

How to use this article:

1. If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign. 
2. Review the product detection table and confirm that your environment is at least on the specified content version.
   To download the latest content versions, go to the Security Updates page.
3. Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
4. Review KB91836 - Countermeasures for entry vector threats.
5. Review KB87843 - Dynamic Application Containment rules and best practices.
6. Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

Campaign IOC

Type	Value
URL	http://www.rangtech.com/trei.elef
URL	http://sunsetrotarytn.org/trei.elef
ip-dst|port	139.59.44.233|443
ip-dst|port	179.189.241.254|449
ip-dst|port	138.204.132.88|449
ip-dst|port	85.119.150.122|443
ip-dst|port	177.107.51.162|449
ip-dst|port	89.223.93.12|443
ip-dst|port	177.124.37.208|449
ip-dst|port	185.237.204.230|443
ip-dst|port	187.93.145.74|449
ip-dst|port	85.143.221.164|443
ip-dst|port	177.36.5.7|449
ip-dst|port	119.92.23.203|449
ip-dst|port	201.184.69.50|449
ip-dst|port	190.64.67.98|449
ip-dst|port	103.87.80.66|449
Type	Value
ip-dst|port	36.89.225.199|449
ip-dst|port	36.66.115.180|449
ip-dst|port	103.122.33.58|449
ip-dst|port	185.255.79.113|443
ip-dst|port	96.36.253.146|449
ip-dst|port	195.123.237.123|443
ip-dst|port	68.111.123.100|449
ip-dst|port	68.119.85.138|449
ip-dst|port	180.250.197.188|449
ip-dst|port	182.16.167.78|449
ip-dst|port	202.72.210.158|449
ip-dst|port	66.172.100.138|449
ip-dst|port	47.224.36.228|449
ip-dst|port	82.202.212.221|443
ip-dst|port	47.27.175.168|449
ip-dst|port	104.139.74.25|449
ip-dst|port	97.87.160.98|449
ip-dst|port	75.114.58.49|449
ip-dst|port	186.46.6.186|449
ip-dst|port	103.217.216.42|449
ip-dst|port	190.144.15.214|449
ip-dst|port	117.197.126.58|449
Domain	adpnote.com
ip-dst	85.17.80.28
MD5	92a1c42ec74509a9adbf7fc75b883744

 
Minimum Content Versions:

Content Type	Version
V2 DAT (VirusScan Enterprise)	9368
V3 DAT (Endpoint Security)	3819

 
Detection Summary

IOC	Scanner	Detection
92a1c42ec74509a9adbf7fc75b883744	AVEngine V2	Trojan-TrickBot
	AVEngine V3	Trojan-TrickBot
	JTI (ATP Rules)	239
	RP Static	-
	RP Dynamic	Real Protect-PSFL!

 
 
Minimum set of Manual Rules to improve protection to block this campaign

IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.

Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.
 
Endpoint Security - Advanced Threat Protection:  
Aggressive set of Manual Rules to improve protection to block this campaign

IMPORTANT: When you implement new rules or signatures, always first set them to Report mode before setting them to Block.

Mitigate against triggering false positives when enabling new rules and signatures by always following best practices. For best practices for Endpoint Security Dynamic Application Containment rules, see: KB87843 - Dynamic Application Containment rules and best practices.

Host Intrusion Prevention:  
Endpoint Security - Access Protection Custom Rules:  
Virusscan Enterprise - Access Protection Rules: