2020-04-17: Trickbot gtag ono38 from password-protected XLS

1. 2020-04-17 - MALSPAM WITH PASSWORD-PROTECTED XLS ATTACHMENTS PUSHES TRICKBOT GTAG ONO38
2.  
3. EXAMPLES OF THE ATTACHMENTS:
4.  
5. - 0c1feebda781b4bf6528427d43704d1bc2e7b39169f7811dc18505825a7f1ba1 DOC-1__1112.xls
6. - 2a4e322125e34daf6eee61f5fd0f3a9c07421f058b046ee700f28d65a98c6140 DOC-1__971.xls
7. - 2e6ca2c90fbce4efc0e2d0dc5988554e3c200bd4d5d381925a3b917eb62a197e DOC-1__312.xls
8. - 488d0c32e2c96fbeb7801d08cefc555a07abbfc4f1b5e952a612b0c029ef2f11 DOC-1_179.xls
9. - 54f8cf240f312c029540d0daff91a0b4959b90f2eb103f3f232ec71c18df4f3f AMD_02_1808.xls
10. - 64f6f90d17a2b2f4c7a089c8d5175a6706a9a9c7ae1fe517d785d914f1b1fb3e AMD_02_1577.xls
11. - 6596b48af0381a59ce8a2e6105427948e348337401dbcbf1de79494cb6eae80c DOC-1__794.xls
12. - 6c17901a4f11e82de3244e2a0d61e3af01d605ec4160558d0cc06a4f7bf6fcfd AMD_02_1484.xls
13. - a10814d7bc9babcb3410d4ab0908f027fc9c2a529be91ed1522ca073756a014f AMD_02_2467.xls
14. - b939ebcfa526308b4952fcbd26dd40ba9131995d93ff6ea286fda68bbead8ddb DOC-1__189.xls
15. - d630d699d68538a8153f5bc31aa333dc4a837a1b4aadead3979ca0cd88600b2b DOC-1__207.xls
16. - dd7f014663098403cf5fbea89a22dfe2c13c52e73ef25eb066315bfdad065479 AMD_02_2624.xls
17.  
18. NOTE:
19.  
20. - For the above files, the password is: apr17
21.  
22. URL FOR TRICKBOT EXE (GTAG ONO38) AFTER ENABLING XLS MACROS:
23.  
24. - hxxps://mitsui-jyuku[.]mixh[.]jp/uploads/rooky.php
25.  
26. TRICKBOT EXE (GTAG ONO38):
27.  
28. - 1771251db0764c8bd2a203ffaca932b685236255c23cd60e11a0c7d246cb87cf
29. - 19bb363f39d3cc5512494a601fc9a78d9336dd70695df4ad4178f3d4361ce79a
30. - 2c9d552a7121900f366c09adcb6dccfb4967248bc19d8eb90d4c8fa128a883a8
31. - dfc4890b72d1759141362ceb52859f9affd38182bbc2f32b6bd9b8ce2c93af48
32. - eb1298b79b05b420cf831d2ad7270a714a9a74c6371a7fc9b26d940c7bdc4ea6
33.  
34. INFO FROM EMAIL EXAMPLE:
35.  
36. Received: from smtp.smtpout.orange.fr ([80.12.242.126]) by [removed] for [removed];
37. Fri, 17 Apr 2020 11:40:17 -0700
38. Received: from wwinf1u35 ([10.223.74.109])
39. by mwinf5d08 with ME
40. id TugB2200S2MUzoS03ugB7n; Fri, 17 Apr 2020 20:40:11 +0200
41. Reply-To: "Mark Baker" <bea.quentin@orange.fr>
42. From: "Mark Baker" <bea.quentin@orange.fr>
43. To: [removed]
44. Subject: Insurance 44452
45. Date: Fri, 17 Apr 2020 14:40:11 -0400
46. Message-ID: <297480736.20627.1587148811263.JavaMail.www@wwinf1u35>
47. MIME-Version: 1.0
48. Content-Type: multipart/mixed;
49. boundary="----=_NextPart_000_0064_01D614D1.A86F11A0"
50. X-Mailer: Microsoft Outlook 16.0
51. Thread-Index: AQFi8OW5P4UzPtlW779XdZkCzmMSMQ==
52.  
53. This is a multipart message in MIME format.
54.  
55. ------=_NextPart_000_0064_01D614D1.A86F11A0
56. Content-Type: multipart/alternative;
57. boundary="----=_NextPart_001_0065_01D614D1.A86F11A0"
58.  
59.  
60. ------=_NextPart_001_0065_01D614D1.A86F11A0
61. Content-Type: text/plain;
62. charset="UTF-8"
63. Content-Transfer-Encoding: 7bit
64.  
65. See enclosed #44452/44452 valid certificate.
66.  
67.  
68. Current password: apr17
69.  
70.  
71.  
72. ------=_NextPart_001_0065_01D614D1.A86F11A0
73. Content-Type: text/html;
74. boundary="----=_Part_20625_582389572.1587148811258";
75. charset="UTF-8"
76. Content-Transfer-Encoding: quoted-printable
77.  
78. <div class style=3D"font-family:garamond, new york, times, =
79. serif;font-size:13px;"><div class=3D3D"" style=3D3D"line-height: 1.15;"> =
80. <span style=3D"font-family:'Verdana' , =
81. sans-serif;font-size:16px;font-weight:bold">See enclosed #44452/44452 =
82. valid certificate.<br> <p>Current password: <b>apr17</b> </div>
83. <br></div>
84. ------=_NextPart_001_0065_01D614D1.A86F11A0--
85.  
86. ------=_NextPart_000_0064_01D614D1.A86F11A0
87. Content-Type: application/octet-stream;
88. name="AMD_02_2624.xls"
89. Content-Transfer-Encoding: base64
90. Content-Disposition: attachment;
91. filename="AMD_02_2624.xls"