What’s the matter?
In the previous campaigns, Trickbot relied on downloaders that used obfuscated Command Shell and later PowerShell commands to download their payloads. These PowerShell commands were triggered by VBA AutoOpen macros.
Who are the primary operators of Trickbot?
Trickbot is a modular trojan that is thought to be operated by at least three threat actors, tracked as TA505, Grim Spider and Wizard Spider.
How does Ostap spread?
Downloaders are a type of malware designed to retrieve and run payloads from one or more remote servers. Their simple function means that downloaders are rarely more than several hundred lines of code, even when obfuscated.
However, Ostap is one of the rare malware downloaders as it contains nearly 35,000 lines of obfuscated code, thus making it easier for cybercriminals to evade detection. The downloader is delivered as a Microsoft Word 2007 macro-enabled document (.DOCM) that contains two components of the downloader: a VBA macro and the JScript.
“The Ostap samples analyzed generated incomplete traces in two different public sandboxes and neither downloaded their respective TrickBot payloads. Moreover, a sample that was uploaded to VirusTotal had a low detection rate of 11% when it was first uploaded, suggesting that Ostap is effective at evading most antivirus engines,” said Bromium researchers in a blog post.
The emails are themed as purchase orders, suggesting that the campaigns are likely intended to target businesses rather than individuals.
What are the specialties of Ostap?
The interesting aspect of Ostap is that it includes anti-analysis measures. The JScript downloader includes a fake Windows Script Host runtime error that occurs shortly after the script starts running.
Researchers note that Ostap’s aggressive anti-analysis features and low detection rate compared to other downloaders make it an attractive choice for malware operators.