Trik Trojan
Proofpoint released research on a decade old botnet named Trik or Phropiex and its expanding usage. Trik (not to be confused with Trickbot) is not a sophisticated or complex botnet, using IRC for Command and Control (C&C), however their size and distribution capabilities make it very attractive to threat actors. Initially, Trik spread via Windows Live Messenger and removable USB storage. It later began including Skype in its worming capabilities, but this appears to have stopped a few years ago and Trik now propagates via removable media storage and email spam.
Recent activity shows Trik distributing popular malware such as GandCrab, Pushdo (which in turn downloads Cutwail), Pony, Trik updates and illegal coin miners. Despite being an older botnet and using outdated communication strategies, Trik remains a powerful botnet that is utilized by many threat actors to distribute malware to end users. A deep dive technical report can be found on Proofpoint’s website outlining capability and their IRC communication.
Further details here
-
Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter based devices.
-
Use updated anti-virus and ensure your current vendor has coverage for this campaign.
-
Search for existing signs of the indicated IOC’s in your environment and email systems
Indicators of Compromise
Command and Control servers
- 92.63.197[.]106:5050
- 112.126.94[.]107:5050
- 123.56.228[.]49:5050
- 220.181.87[.]80:5050
- 185.189.58[.]222:5050
- auoegfiaefuageudn[.]ru:5050
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.